Nelson Bolyard wrote: > Rich Megginson wrote: >> Nelson B wrote: >>> Rich Megginson wrote: >>>> Nelson B wrote: >>>>> Does LDAP have a "StartTLS" feature (ala IMAP, SMTP) that allows the >>>>> connection to start without TLS, then negotiate TLS and switch to it? >>>>> Where can I find out more about it, if so? >>>> This is RFC 4513 - http://www.isi.edu/in-notes/rfc4513.txt >>> Thanks. That RFC is hot off the press, I see. >>> Am I right in imagining that it's not widely implemented yet? >>> >> That RFC is the replacement for the earlier startTLS RFCs which are >> referenced in that document and have been implemented for several years >> now. I haven't read the new RFC yet but I'm assuming it hasn't changed >> the startTLS spec, just cleaned it up and unified the various strands of >> other RFCs. >> >> So, yes, it is widely implemented. Netscape/Sun/iPlanet/Red Hat/Fedora >> Directory Server has supported it since 2001, and likely OpenLDAP and >> others have supported it since around that time. > > The LDAP SDK documentation on www.mozilla.org > <http://www.mozilla.org/directory/csdk-docs/ssl.htm#how_ssl_works_with_ldap> > says "The Mozilla LDAP C SDK only supports SSL 3.0 and does not support the > Start Transport Layer Security (TLS) Operation. "
That is incorrect. Mozldap 6 uses any recent version of NSS (e.g. 3.11) which supports TLSv1 and SSLv3 (SSLv2 is off by default). In addition it has supported the StartTLS extended operation for quite some time now. The problem is that those docs are hopelessly out of date. Our salvation will come in the form of Sun's contribution of their up-to-date docs to Mozilla, except that Mark Craig and Gerv are going around and around with the Sun lawyers over the doc licensing. Mark already has everything converted to docbook xml and it's ready to go. > > There are (at least) two possible interpretations of that: > a) The Mozilla LDAP C SDK ... does not support ... TLS > b) The Mozilla LDAP C SDK ... does not support ... StartTLS. > > Which of those interpretations is correct? > Or, if neither, what is the correct interpretation? > Or is that document just wrong and needs to be fixed? > _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
