| |
Starting TLS |
|
|
Subject: Starting TLS
Author: authen
In response to: Requesting to Start TLS on an LDAP Association
Posted on: 07/02/2007 08:46:13 PM
The server will return an extended response with the resultCode of
success if it is willing and able to negotiate TLS. It will return
other resultCodes, documented above, if it is unable.
In the successful case, the client, which has ceased to transfer LDAP
requests on the connection, MUST either begin a TLS negotiation or
close the connection. The client will send PDUs in the TLS Record
Protocol directly over the underlying transport connection to the
server to initiate TLS negotiation [TLS].
>
> On 07/02/2007 08:44:05 PM authen wrote:
The client MAY send the Start TLS extended request at any time after
establishing an LDAP association, except that in the following cases
the client MUST NOT send a Start TLS extended request:
if TLS is currently established on the connection, or
during a multi-stage SASL negotiation, or
if there are any LDAP operations outstanding on the connection.
The result of violating any of these requirements is a resultCode of
operationsError.
The client MAY have already performed a Bind operation when it sends
a Start TLS request, or the client might have not yet bound.
If the client did not establish a TLS connection before sending any
other requests, and the server requires the client to establish a TLS
connection before performing a particular request, the server MUST
reject that request with a confidentialityRequired or
strongAuthRequired result. The client MAY send a Start TLS extended
request, or it MAY choose to close the connection.
References:
|
|
|
|
