You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@directory.apache.org by el...@apache.org on 2017/01/14 08:04:58 UTC

svn commit: r1778725 - /directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext

Author: elecharny
Date: Sat Jan 14 08:04:57 2017
New Revision: 1778725

URL: http://svn.apache.org/viewvc?rev=1778725&view=rev
Log:
Added some doco in LDAPS

Modified:
    directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext

Modified: directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext?rev=1778725&r1=1778724&r2=1778725&view=diff
==============================================================================
--- directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext (original)
+++ directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext Sat Jan 14 08:04:57 2017
@@ -87,11 +87,11 @@ Here, we use the _NoVerificationTrustMan
 
 One step further : you can define a dediated configuration that is passed to the constructor. Many parameters can be defined :
 
-* the enabled cipher suites
+* the enabled cipher suites : a list of ciphers that may be used (like "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", etc)
 * the enabled protocols : a list of protocals that may be used ( "SSLv3", "TLS", "TLSv1", "TLSv1.1", "TLSv1.2")
 * the KeyManager instances
 * the SecureRandom instance
-* the SSL protocol to use
+* the SSL protocol to use : one of the enabled protocols
 * the TrustManager instances
 
 All those parameters are configured using the _LdapConnectionConfig_ class :
@@ -110,4 +110,16 @@ All those parameters are configured usin
             assertTrue( connection.isAuthenticated() );
         }
 
+## LDAPS or startTLS ?
+
+The important point to understand with **LDAPS** is that every request being exchanged between the client and the server will be encrypted, because the underlying transport is encrypted. That means you can't start communicating with the LDAP server before the connection is secured.
+
+It has a few drawbacks :
+- first of all, it has an added CPU cost, as everything has to be encrypted and decrypted.
+- second, it requires a dedicated port, thus some specific routing rules (firewall, load balancers, etc)
+- third, it's a all of nothing choice. If you want to come back to a non-encrypted communication, you need to use another connection.
+
+This is the reason why the **startTLS** extended operation should be used.
+
+