[
https://issues.apache.org/jira/browse/DIRSERVER-2126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15169277#comment-15169277
]
Emmanuel Lecharny commented on DIRSERVER-2126:
----------------------------------------------
Well, I must admit I totally forgot about this flag that was added 8 years ago
;-)
Thanks for the feedback !
> Possibility to set 'StartTLS enforced' through some parameter
> -------------------------------------------------------------
>
> Key: DIRSERVER-2126
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2126
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: core
> Affects Versions: 2.0.0-M21
> Environment: All Apache-DS Versions, all operating systems.
> Reporter: Stefan Humbold
> Priority: Critical
>
> Up to now (M21) it ist not possible to set the communication protocol to
> 'StartTLS enforced'.
> We don't want to offer our ldap-clients an unsecure way to talk with our
> LDAP-Server. Yes I can disable the default-Port 389 and only enable the
> SSL-Port 636 .But there is written in the DS documentation: " **LDAPS** is
> considered as deprecated. You should always favor startTLS instead. "
> And I also need the port 389 (with StartTLS) for replication, so i can not
> disable it.
> At the moment i use onlyTLSV1.2 (attribute ads-enabledProtocols). But the
> users can still connect without TLS.
> I found this interesting paper:
> http://people.apache.org/~elecharny/ldapcon/Andrew%20Findlay-paper.pdf
> --> see Caption caption 3.5:
> "The correct and standard approach is to start LDAP without encryption and
> then negotiate the TLS security layer. If necessary, the server can be
> configured to refuse all operations other than 'Start TLS' until TLS is in
> place"
> In OpenLDAP you can enforce TLS through some
> parameter, and I think that would be a good addition to ApacheDS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
