TLS
Eliminating SSL usage in favor of TLS
https://confluence.symas.com/display/OK/%5BDRAFT%5D+Configuring+Secure+Communications
Good TLS Demonstration
https://confluence.symas.com/display/OK/Symas+OpenLDAP+Installation+Configuration+Example#SymasOpenLDAPInstallationConfigurationExample-TLSconfiguration
SSF (Security Strength Factors)
http://www.openldap.org/doc/admin24/security.html#Security%20Strength%20Factors
Admin Guide TLS Section
http://www.openldap.org/doc/admin24/tls.html
Force OpenLDAP to use TLS 1.0+ rather than SSL v2,3
In global section of SLAPD.conf add the following:
TLSProtocolMin 3.1
TLS Information
TLS is also SSL
Securing a socket was a Netscape requirement. They called it SSL. Then came SSL v2, SSL v3.
Then it switched to TLS 1.0 (aka SSL 3.0). Then TLS v1.1 and TLS v1.2 followed.
We use ldap and ldaps are in the symas-openldap.conf file.
HOST_LIST=“ldap:///”
SSL v3.0 is long dead but people still talk about SSL.
The rename from SSL to TLS was a vast error that confused the whole planet.
STARTTLS
StartTLS works over 389
StartTLS is a protocol on top of another protocol
StartTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication.