That's what can be found in the FAQ on openldap.org: https://www.openldap.org/faq/data/cache/605.html
I would trust this more then any rumors on any stackxxxx page ;) Am 30.03.22 um 18:45 schrieb thomaswilliampritch...@gmail.com: > At risk of beating a dead horse, I'd like to hear considerations on STARTTLS > vs LDAPS. I'm also particularly interested if openldap plans to support LDAPS > long term or if there's actually a deprecation effort going on around LDAPS > where it would one day no longer be supported by openldap. > > This seems to be the most comprehensive post discussing the virtue of the > two. > https://security.stackexchange.com/questions/257749/is-ldaps-or-starttls-more-secure > I also found a post in this Archive from 2018 that seems to indicate a change > of opinion where LDAPS should be preferred, and not deprecated. > https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/message/ISWKXC5VGMXTOZPW5MWY7ZOBHUTKFBMM/ > > > Does openldap agree that LDAPS should now be the preferred implementation and > STARTLS should be discouraged? > > I do not have a security background and there is certainly a lot of room for > me to misunderstand, but it seems like STARTTLS leaves the door open for a > "tls downgrade attack" where a man in the middle could essentially reply to a > client effectively saying start tls is not supported and then the client > falls back to non tls communication (which is obviously unfortunate). Even if > the backend server is properly not responding to clients until STARTTLS is > initiated, the man in the middle could initiate a connection with STARTTLS to > the ldap server and be talking plaintext to the client. Is that legitimately > possible or am I missing a nuance? If one were to only support clients over > LDAPS it seems this would be mitigated? > > Thanks for the considerations, looking forward to hearing the expert opinions > on the topic.ml
smime.p7s
Description: S/MIME Cryptographic Signature
