Subject: Response with ResultCode other than
Author: authen
In response to: StartTLS Response
Posted on: 07/02/2007 02:31:46 PM
If the ExtendedResponse contains a resultCode other than success,
this indicates that the server is unwilling or unable to negotiate
TLS.
If the Start TLS extended request was not successful, the resultCode
will be one of:
operationsError(1) (operations sequencing incorrect; e.g. TLS already
established)
protocolError(2) (TLS not supported or incorrect PDU structure)
referral(10) (this server doesn't do TLS, try this one)
unavailable(52) (e.g. some major problem with TLS, or server is
shutting down)
The server MUST return
operationsError if the client violates any of
the Start TLS extended operation sequencing requirements.
If the server does not support TLS (whether by design or by current
configuration), it MUST set the resultCode to
protocolError.
The client's current session is unaffected if the server does not support TLS.
The client MAY proceed with any LDAP operation, or it MAY close the connection.
The server MUST return
unavailable if it supports TLS but cannot
establish a TLS connection for some reason, e.g. the certificate
server not responding, it cannot contact its TLS implementation, or
if the server is in process of shutting down. The client MAY retry
the StartTLS operation, or it MAY proceed with any other LDAP
operation, or it MAY close the connection.
>
> On 07/02/2007 02:18:32 PM
authen wrote:
When a Start TLS extended request is made, the server MUST return an
LDAP PDU containing a Start TLS extended response. An LDAP
ExtendedResponse is defined as follows:
ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
COMPONENTS OF LDAPResult,
responseName [10] LDAPOID OPTIONAL,
response [11] OCTET STRING OPTIONAL }
A Start TLS extended response MUST contain a responseName field which
MUST be set to the same string as that in the responseName field
present in the Start TLS extended request. The response field is
absent.
References:
