You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@directory.apache.org by John Strockmeyer <jo...@gmail.com> on 2015/02/06 15:41:57 UTC

ADS 2.0.0 and TLS

Hello. I have several question on the topic of TLS in ApacheDS 2.0.0-M18:

1. Does ADS support TLS 1.1 and TLS 1.2 over ldaps?

2. I noticed that class
org.apache.directory.server.protocol.shared.transport.*TcpTransport* class
has *setEnableSSL *and *enableSSL* functions. Is there a need for two
functions? Should I be using both of them, or just a specific one would be
enough?

3. I know that I can use JNDI API in an ldap client via ldaps, but is it
possible to also use it via StartTLS? Do I need to use "ssl" or "tls" for
Context.SECURITY_PROTOCOL?

4. When using JNDI client, should javax.naming.ldap.*StartTlsResponse* be
used after instantiating InitialLdapContext?

5. I have an ADS instance that is started manually like it is shown here:
http://svn.apache.org/viewvc/directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/LdapSSLConnectionTest.java?revision=1567956&view=markup
. If i wanted to enable SSL/TLS, do I need to do anything besides calling
LdapServer#setKeystoreFile, LdapServer#setCertificatePassword, and setting
the aforementioned ssl flag in TcpTransport?

Thank you for your time.

Re: ADS 2.0.0 and TLS

Posted by Emmanuel Lécharny <el...@gmail.com>.

Le 06/02/15 15:41, John Strockmeyer a écrit :
> Hello. I have several question on the topic of TLS in ApacheDS 2.0.0-M18:
>
> 1. Does ADS support TLS 1.1 and TLS 1.2 over ldaps?
Yes.
>
> 2. I noticed that class
> org.apache.directory.server.protocol.shared.transport.*TcpTransport* class
> has *setEnableSSL *and *enableSSL* functions. Is there a need for two
> functions? Should I be using both of them, or just a specific one would be
> enough?
No idea why those two methods are existing together, while only one is
necessary.
>
> 3. I know that I can use JNDI API in an ldap client via ldaps, but is it
> possible to also use it via StartTLS? Do I need to use "ssl" or "tls" for
> Context.SECURITY_PROTOCOL?
First, LDAPS is considered as deprecated. You should always use the
startTLS extended operation instead.

Second, you would make your life less painfull by using the Apache LDAP
API instead of JNDI/

>
> 4. When using JNDI client, should javax.naming.ldap.*StartTlsResponse* be
> used after instantiating InitialLdapContext?
I don't remember. I have not used JNDI for years ...