TLS
Click on the red underlined text to get to the source
... method (Section 5.1.3) and MUST be capable of protecting this
name/password authentication using TLS as established by the StartTLS
operation (Section 3).
...
... simple bind method SHOULD
support use of TLS as established by the StartTLS operation (Section
3). (Other servers MUST support TLS per the second paragraph of this
...
... support use of TLS as established by the StartTLS operation (Section
3). (Other servers MUST support TLS per the second paragraph of this
section.)
...
... Transport Layer Security (StartTLS) operation defined in
Section 4.14 of [RFC4511] provides the ability to establish TLS
[RFC4346] in an LDAP ...
... session.
The goals of using the TLS protocol with LDAP are to ensure data
confidentiality and integrity ...
... integrity, and to optionally provide for
authentication. TLS expressly provides these capabilities, although
the authentication services of TLS ...
... TLS expressly provides these capabilities, although
the authentication services of TLS are available to LDAP only in
combination with the SASL EXTERNAL ...
... 5.2.3), and then only if the SASL EXTERNAL implementation chooses to
make use of the TLS credentials.
...
... TLS Establishment Procedures ...
... This section describes the overall procedures clients and servers
must follow for TLS establishment. These procedures take into
consideration various aspects of the TLS layer ...
... must follow for TLS establishment. These procedures take into
consideration various aspects of the TLS layer including discovery of
resultant security ...
... session, except:
- when TLS is currently established on the session,
- when a multi-stage SASL negotiation ...
... client provide a user
certificate during TLS negotiation and the client does not present a
suitable user certificate ...
... server may use a local security policy to determine whether to
successfully complete TLS negotiation.
If a client ...
... Certification
Authorities are encouraged to provide subjectAltName values instead.
Note that the TLS implementation may represent DNs in certificates
according to X.500 ...
... security level is inadequate for it to continue, it
SHOULD remove the TLS layer immediately after the TLS (re)negotiation ...
... SHOULD discard or refresh all information about the server that it
obtained prior to the initiation of the TLS negotiation and that it
did not obtain through secure mechanisms. This protects against
man-in-the-middle attacks ...
... man-in-the-middle attacks that may have altered any server
capabilities information retrieved prior to TLS layer installation.
...
...
The server may advertise different capabilities after installing a
TLS layer. In particular, the value of 'supportedSASLMechanisms' may
be different after a TLS ...
... TLS layer. In particular, the value of 'supportedSASLMechanisms' may
be different after a TLS layer has been installed (specifically, the
EXTERNAL and PLAIN [PLAIN ...
... EXTERNAL and PLAIN [PLAIN] mechanisms are likely to be listed only
after a TLS layer has been installed).
...
... Effect of TLS on Authorization State ...
...
The establishment, change, and/or closure of TLS may cause the
authorization state to move to a new state ...
... TLS Ciphersuites ...
...
Several issues should be considered when selecting TLS ciphersuites
that are appropriate for use in a given circumstance. These issues
include the following:
...
... Client and server implementers should recognize
that some TLS ciphersuites provide no confidentiality
protection, while other ciphersuites that do provide
...
... man-in-the-middle attack is negligible.
- After a TLS negotiation (either initial or subsequent) is
completed, both protocol peers should independently verify that
the security services ...
... state has been established, how it was established, and what security
services are in place. Some factors may be determined and/or
affected by protocol events (e.g., Bind, StartTLS, or TLS closure),
and some factors may be determined by external events (e.g., time of
day or server load).
...
... layer and other security layers act independently, e.g., if both a
TLS layer and a SASL layer ...
... SASL layer are in effect, then removing the TLS layer
does not affect the continuing service ...
... credentials exchanged by a
lower security layer (such as by TLS authentication). If the
client ...
... security layer (e.g., a public key certificate
used during TLS layer installation) according to local policy. The
underlying mechanics of how this is accomplished are implementation
...
... All security gained via use of the StartTLS operation is gained by
the use of TLS itself. The StartTLS operation, on its own, does not
provide any additional security.
...
...
The level of security provided through the use of TLS depends
directly on both the quality of the TLS implementation used and the
...
... security provided through the use of TLS depends
directly on both the quality of the TLS implementation used and the
style of usage of that implementation. Additionally, a man-in-the-
middle attacker ...
... independently ascertain and consent to the security level achieved
once TLS is established and before beginning use of the TLS-
protected session ...
... security level achieved
once TLS is established and before beginning use of the TLS-
protected session. For example, the security ...
... protected session. For example, the security level of the TLS layer
might have been negotiated down to plaintext ...
... As stated in Section 3.1.2, a server may use a local security policy
to determine whether to successfully complete TLS negotiation.
Information in the user's certificate that is originated or verified
...
...
Implementers should be aware of and understand TLS security
considerations as discussed in the TLS specification [RFC4346 ...
... Implementers should be aware of and understand TLS security
considerations as discussed in the TLS specification [RFC4346].
...
... credentials unless the data on the session is protected using TLS or
other data confidentiality and data integrity ...
... dictionary
attacks. Implementers should take care to protect such hashed
password values during transmission using TLS or other
confidentiality mechanisms.
...
... Dierks, T. and E. Rescorla, "The TLS Protocol Version 1.1", RFC 4346prop, March 2006. ...
... identity supplied by a service like
TLS may not correspond to the authorization identities used to
express a server's access control policy ...
... - The name/password authentication mechanism (see Section B.2.5
below) protected by TLS replaces the SASL DIGEST-MD5 mechanism as
...
... B.2.5. Section 6.2 ("'simple' authentication choice under TLS ...
... name/password
authentication mechanism to better describe it.
- The use of TLS was generalized to align with definitions of LDAP
protocol layers. TLS ...
... TLS was generalized to align with definitions of LDAP
protocol layers. TLS establishment is now discussed as an
independent subject and is generalized for use with all
...
... B.2.6. Section 6.3 ("Other authentication choices with TLS") ...
... B.2.10. Section 10 ("TLS Ciphersuites") ...
...
- TLS ciphersuite recommendations are no longer included in this
specification. Implementations must now support the
TLS ...
... TLS ciphersuite recommendations are no longer included in this
specification. Implementations must now support the
TLS_RSA_WITH_3DES_EDE_CBC_SHA ...
... refresh information about
server capabilities following TLS establishment. This is to allow
for situations where this information was obtained through a secure
mechanism.
...
... B.3.4. Section 5.2 ("TLS Connection Closure Effects") ...
... authentication and authorization states to anonymous
upon TLS closure.
- Replaced references to RFC 2401(-> 4301prop) ...