Directory Services

Using Start-Stop TLS Encryption

The start and stop TLS functions enable transport level security (TLS), formerly known as SSL, to be enabled on an LDAP connection not initially created using TLS (SSL), and then to stop using TLS when it is no longer required. Creating a TLS (SSL) LDAP connection the conventional way, either by connecting on port 636 or by specifying LDAP_OPT_SSL, creates a connection that is encrypted for its duration. In contrast, using the start and stop TLS functions lets you take a conventional, unencrypted LDAP session (for example, on port 389), perform various unencrypted operations on it, then call ldap_start_tls_s to enable encryption. You can then perform encrypted LDAP operations; when you no longer require encryption, call ldap_stop_tls_s to return to an unencrypted session. This lets you protect security-sensitive portions of an LDAP session with encryption, without the overhead of encrypting the entire session. The same requirements regarding certificates, for example, the client must trust the CA that issued the server's certificate, and so on, are required for the start and stop TLS functions as they are for port 636 TLS (SSL) sessions.

Start and stop TLS (SSL) requires that the server have matching support, specifically, support for the extended operation 1.3.6.14.1.1466.20037. Start and stop TLS (SSL) affects the global connection state; for example, the connection is affected for all threads that use it.