Am Fri, 28 Dec 2012 09:14:51 +0100 (CET) schrieb Wiebe Cazemier <[email protected]>:
> ----- Original Message ----- > > From: "Dieter Klünter" <[email protected]> > > To: [email protected] > > Sent: Thursday, 27 December, 2012 3:53:21 PM > > Subject: Re: Forcing TLS encryption > > > > Am Mon, 24 Dec 2012 10:14:39 +0100 (CET) > > schrieb Wiebe Cazemier <[email protected]>: > > > > > > > > In order to initiate Transport Layer Security you have to call the > > extended operation ldapSTARTTLS. > > > > -Dieter > > > > -- > > Dieter Klünter | Systemberatung > > http://dkluenter.de > > GPG Key ID:DA147B05 > > 53°37'09,95"N > > 10°08'02,42"E > > > > > > I understand that, but this way, even when you're forcing TLS, users > can still expose their passwords if their computers are > mal-configured. SMTP, IMAP, FTP, etc don't allow this, because they > reject the connection if LOGINNAME is given before STARTTLS. No. RFC 4513 clearly states: ... however, where a client intends to perform both a Bind operation and a StartTLS operation, it SHOULD first perform the StartTLS operation so that the Bind request and response messages are protected by the data security services established by the StartTLS operation. [...] -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
