On Tue, Mar 06, 2012 at 10:15:04AM -0500, Prentice Bisbal wrote: > On 03/06/2012 10:01 AM, Mark H. Wood wrote: > > On Tue, Mar 06, 2012 at 09:43:44AM -0500, Prentice Bisbal wrote: > >> It sounds like you don't full understand TLS and the difference between > >> TLS and SSL. I hope this brief explanation can help you out. I hope I'm > >> not making a fool out of myself my telling you something you already know. > >> > >> TLS is similar to SSL, except that it happens on the non-encrypted port > >> address, so for LDAP, that would be on port 389, instead of the LDAP+SSL > >> port of 636. For TLS the client connects to the "standard" unencrypted > > > > Uh, no. TLS (http://tools.ietf.org/html/rfc5246) is SSLv3 with slight > > tweaks. SSL was IIRC a Netscape invention, and when IETF standardized > > it of course they had to change the name and make a few adjustments. > > How is "SSLv3 with slight tweaks" different than saying "TLS is similar > to SSL"? I fail to see any difference, especially in the context of the > high-level overview I was intending. > > > > > > > STARTTLS (http://en.wikipedia.org/wiki/STARTTLS) is a mechanism (used > > in a number of protocols, including LDAP and also SMTP) by which two > > hosts can agree to upgrade an unencrypted connection to (TLS or SSL) > > encrypted. > > > > Again, what you are saying is no different from what I already said.
You said: "TLS...happens on the non-encrypted port...." TLS (and SSL) doesn't care what port it's on. It's just encryption. STARTTLS is a negotiation mechanism by which two hosts can agree to start a TLS session within a conversation on any port at all, but probably on the well-known port assigned to that protocol for unencrypted conversations and probably within a conversation that was not already encrypted (so far as the application layer knows). The port(s) to be used are standardized as part of the application protocol. I've seen lots of people get tied up in knots because they think that TLS has something to do with upward negotiation. It does not. TLS works just fine on port 636 for carrying an entire LDAP session encrypted. Upward negotiation is done by means not part of the encryption mechanism, such as STARTTLS or SASL (RFC4422 -- see section 3.7). You will not find "STARTTLS" anywhere in RFC5246 (The Transport Layer Security (TLS) Protocol Version 1.2). You will find it, among other places, in RFC4511 (Lightweight Directory Access Protocol (LDAP): The Protocol) and RFC4513 (Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms) which specify LDAP, not TLS. -- Mark H. Wood, Lead System Programmer [email protected] Asking whether markets are efficient is like asking whether people are smart.
pgppnKeqpbXmR.pgp
Description: PGP signature
