directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r1004867 - in /websites/staging/directory/trunk/content: ./ api/user-guide/5.1-ldaps.html
Date Sat, 14 Jan 2017 08:05:04 GMT
Author: buildbot
Date: Sat Jan 14 08:05:04 2017
New Revision: 1004867

Staging update by buildbot for directory

    websites/staging/directory/trunk/content/   (props changed)

Propchange: websites/staging/directory/trunk/content/
--- cms:source-revision (original)
+++ cms:source-revision Sat Jan 14 08:05:04 2017
@@ -1 +1 @@

Modified: websites/staging/directory/trunk/content/api/user-guide/5.1-ldaps.html
--- websites/staging/directory/trunk/content/api/user-guide/5.1-ldaps.html (original)
+++ websites/staging/directory/trunk/content/api/user-guide/5.1-ldaps.html Sat Jan 14 08:05:04
@@ -272,11 +272,11 @@ h2:hover > .headerlink, h3:hover > .head
 <h2 id="using-a-configuration">Using a configuration<a class="headerlink" href="#using-a-configuration"
title="Permanent link">&para;</a></h2>
 <p>One step further : you can define a dediated configuration that is passed to the
constructor. Many parameters can be defined :</p>
-<li>the enabled cipher suites</li>
+<li>the enabled cipher suites : a list of ciphers that may be used (like "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
 <li>the enabled protocols : a list of protocals that may be used ( "SSLv3", "TLS",
"TLSv1", "TLSv1.1", "TLSv1.2")</li>
 <li>the KeyManager instances</li>
 <li>the SecureRandom instance</li>
-<li>the SSL protocol to use</li>
+<li>the SSL protocol to use : one of the enabled protocols</li>
 <li>the TrustManager instances</li>
 <p>All those parameters are configured using the <em>LdapConnectionConfig</em>
class :</p>
@@ -296,6 +296,15 @@ h2:hover > .headerlink, h3:hover > .head
+<h2 id="ldaps-or-starttls">LDAPS or startTLS ?<a class="headerlink" href="#ldaps-or-starttls"
title="Permanent link">&para;</a></h2>
+<p>The important point to understand with <strong>LDAPS</strong> is that
every request being exchanged between the client and the server will be encrypted, because
the underlying transport is encrypted. That means you can't start communicating with the LDAP
server before the connection is secured.</p>
+<p>It has a few drawbacks :
+- first of all, it has an added CPU cost, as everything has to be encrypted and decrypted.
+- second, it requires a dedicated port, thus some specific routing rules (firewall, load
balancers, etc)
+- third, it's a all of nothing choice. If you want to come back to a non-encrypted communication,
you need to use another connection.</p>
+<p>This is the reason why the <strong>startTLS</strong> extended operation
should be used.</p>
     <div class="nav">
         <div class="nav_prev">

View raw message