httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject Re: Auth LDAP ssl/tls differences
Date Thu, 06 Jan 2005 23:19:15 GMT
>I personally feel more comfortable having LDAP on an SSL port only,
then 
>I know there is no way my server can be accessed accidently without 
>encryption in place. 

Call me paranoid, but I completely agree.  Especially since the primary
purpose of auth_ldap is authentication, ie. userid's and passwords and
constantly being passed on the wire.

>This doesn't mean that APR-util doesn't support the concept of
starting 
>and stopping tls, it only means that util_ldap doesn't choose to use 
>this option.

So we should probably split start_tls out from apr_ldap_ssl_init() into
it's own API.  This way some other module or application built on top of
apr-util will have the ability to start and stop TLS at will.

Brad

>>> minfrin@sharp.fm Thursday, January 06, 2005 2:18 PM >>>
Brad Nicholes wrote:

>    I guess I am still a little unclear on what the advantage is to
using
> ldap:// + start_tls  vs.  ldaps://.  The end result is the same
except
> that you have a secure connection to the LDAP server on 389 rather
than
> 636.  Is that the only reason?

Apparently ldap:// + STARTTLS is a standard, and ldaps:// is not a 
standard (although it's universally supported). The end result of both

methods is the same - a secure connection.

I personally feel more comfortable having LDAP on an SSL port only,
then 
I know there is no way my server can be accessed accidently without 
encryption in place. But others want to use STARTTLS, and if it's 
technically possible, I see no reason to stop them.

> Something to think about - what about ldap connection caching?  Are
the
> ldap://+start_tls connections cached separately from ldap://  and
> ldaps:// connections?

No - there is just one cache of connections. SSL/TLS is negotiated when

the connection is first established, and remains that way until the 
connection is closed. Whether the initial negotiation was SSL or 
STARTTLS makes no difference, once util_ldap has said STARTTLS it 
doesn't stop TLS again until the connection is disposed of.

This doesn't mean that APR-util doesn't support the concept of starting

and stopping tls, it only means that util_ldap doesn't choose to use 
this option.

Regards,
Graham
--


Mime
View raw message