StartTLS

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

StartTLS

Alvin Chang-2
Hi all:

I searched for StartTLS in the mailing list archive, but found nothing so I'm asking here. Does anyone know if StartTLS is supported by Hudson while using LDAP authentication.

Thanks,

--
Alvin Chang
Linux Systems Administrator
OpenX Limited

Skype: alvin.chang_at_openx.org
IRC: #openx on freenode.net
Reply | Threaded
Open this post in threaded view
|

Re: StartTLS

Kohsuke Kawaguchi
Administrator
Alvin Chang wrote:
> Hi all:
>
> I searched for StartTLS in the mailing list archive, but found nothing so
> I'm asking here. Does anyone know if StartTLS is supported by Hudson while
> using LDAP authentication.

I'm sorry, what is StartTLS?

Google tells me that it's something SMTP related, not LDAP.

--
Kohsuke Kawaguchi
Sun Microsystems                   http://weblogs.java.net/blog/kohsuke/

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: StartTLS

Robert Dale
On Mon, Aug 4, 2008 at 5:36 PM, Kohsuke Kawaguchi
<[hidden email]> wrote:
> Alvin Chang wrote:
>>
>> Hi all:
>>
>> I searched for StartTLS in the mailing list archive, but found nothing so
>> I'm asking here. Does anyone know if StartTLS is supported by Hudson while
>> using LDAP authentication.
>
> I'm sorry, what is StartTLS?

Here's a good description..

http://sial.org/howto/openssl/tls-name/

--
Robert Dale

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: StartTLS

Kohsuke Kawaguchi
Administrator
Robert Dale wrote:

> On Mon, Aug 4, 2008 at 5:36 PM, Kohsuke Kawaguchi
> <[hidden email]> wrote:
>> Alvin Chang wrote:
>>>
>>> Hi all:
>>>
>>> I searched for StartTLS in the mailing list archive, but found nothing so
>>> I'm asking here. Does anyone know if StartTLS is supported by Hudson while
>>> using LDAP authentication.
>>
>> I'm sorry, what is StartTLS?
>
> Here's a good description..
>
> http://sial.org/howto/openssl/tls-name/
Thanks. I guess the reported must be confusing this with something,
then. He's asking how yo use an SMTP command called 'STARTTLS' with
LDAP, which doesn't make sense.

--
Kohsuke Kawaguchi
Sun Microsystems                   http://weblogs.java.net/blog/kohsuke/

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: StartTLS

Robert Dale
On Mon, Aug 4, 2008 at 8:32 PM, Kohsuke Kawaguchi
<[hidden email]> wrote:

> Robert Dale wrote:
>>
>> On Mon, Aug 4, 2008 at 5:36 PM, Kohsuke Kawaguchi
>> <[hidden email]> wrote:
>>>
>>> Alvin Chang wrote:
>>>>
>>>> Hi all:
>>>>
>>>> I searched for StartTLS in the mailing list archive, but found nothing
>>>> so
>>>> I'm asking here. Does anyone know if StartTLS is supported by Hudson
>>>> while
>>>> using LDAP authentication.
>>>
>>> I'm sorry, what is StartTLS?
>>
>> Here's a good description..
>>
>> http://sial.org/howto/openssl/tls-name/
>
> Thanks. I guess the reported must be confusing this with something, then.
> He's asking how yo use an SMTP command called 'STARTTLS' with LDAP, which
> doesn't make sense.

No, StartTLS is in some LDAP implementations as well, and potentially
anything that wants TLS (or as most people know it, SSL).  StartTLS is
when you connect unsecure, but somewhere during the communication you
want to encrypt the conversation.  This lends to making TLS optional
and client-initiated on the same connection instead of connecting to a
specific secure port, like https.  It's like gzip compression for
webpages - the server says I support gzip, the client says I support
gzip, so then they converse with gzip, or maybe one or the other
doesn't support gzip and so they don't use gzip but they can still
communicate over the same socket, unlike https.

But the end result is that if you use an LDAP implementation that
supports StartTLS and make it check box on the webpage, you're done.

As for a workaround, if the LDAP server supports StartTLS, it probably
supports TLS on the ldaps port, which means on the client, if it
doesn't support any type of TLS, you can use stunnel to make a secure
connection.  I guess it's just a little more convenient to check a box
though.

--
Robert Dale

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: StartTLS

Kohsuke Kawaguchi
Administrator
OK, so it was me who was confused.

I probably should have just Googled more. This looks like the code to do it:
http://java.sun.com/products/jndi/tutorial/ldap/ext/starttls.html

2008/8/4 Robert Dale <[hidden email]>:

> On Mon, Aug 4, 2008 at 8:32 PM, Kohsuke Kawaguchi
> <[hidden email]> wrote:
>> Robert Dale wrote:
>>>
>>> On Mon, Aug 4, 2008 at 5:36 PM, Kohsuke Kawaguchi
>>> <[hidden email]> wrote:
>>>>
>>>> Alvin Chang wrote:
>>>>>
>>>>> Hi all:
>>>>>
>>>>> I searched for StartTLS in the mailing list archive, but found nothing
>>>>> so
>>>>> I'm asking here. Does anyone know if StartTLS is supported by Hudson
>>>>> while
>>>>> using LDAP authentication.
>>>>
>>>> I'm sorry, what is StartTLS?
>>>
>>> Here's a good description..
>>>
>>> http://sial.org/howto/openssl/tls-name/
>>
>> Thanks. I guess the reported must be confusing this with something, then.
>> He's asking how yo use an SMTP command called 'STARTTLS' with LDAP, which
>> doesn't make sense.
>
> No, StartTLS is in some LDAP implementations as well, and potentially
> anything that wants TLS (or as most people know it, SSL).  StartTLS is
> when you connect unsecure, but somewhere during the communication you
> want to encrypt the conversation.  This lends to making TLS optional
> and client-initiated on the same connection instead of connecting to a
> specific secure port, like https.  It's like gzip compression for
> webpages - the server says I support gzip, the client says I support
> gzip, so then they converse with gzip, or maybe one or the other
> doesn't support gzip and so they don't use gzip but they can still
> communicate over the same socket, unlike https.
>
> But the end result is that if you use an LDAP implementation that
> supports StartTLS and make it check box on the webpage, you're done.
>
> As for a workaround, if the LDAP server supports StartTLS, it probably
> supports TLS on the ldaps port, which means on the client, if it
> doesn't support any type of TLS, you can use stunnel to make a secure
> connection.  I guess it's just a little more convenient to check a box
> though.
>
> --
> Robert Dale
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>



--
Kohsuke Kawaguchi

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]