Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

STARTTLS support for LDAP in s_client #1955

Closed
robert-scheck opened this issue Nov 18, 2016 · 7 comments
Closed

STARTTLS support for LDAP in s_client #1955

robert-scheck opened this issue Nov 18, 2016 · 7 comments

Comments

@robert-scheck
Copy link
Contributor

It would be great to be able to run openssl s_client -connect localhost:389 -starttls ldap for TLS related debugging purposes at LDAP where the classical SSL variant with TCP port 636 isn't available. As per http://stackoverflow.com/questions/11549731/is-it-possible-to-send-ldap-requests-via-telnet it does not make much sense to try to speak LDAP "by hand", but having STARTTLS support for LDAP in s_client would be still appreciated for TLS related testing and debugging.
@vdukhovni
Copy link

I don't think it is a good idea to create a mutual dependency between OpenSSL and OpenLDAP. If speaking LDAP starttls "by hand" is too difficult, then such debugging tools should be created on the OpenLDAP side and not in s_client.

@robert-scheck
Copy link
Contributor Author

I also wouldn't speak FTP or XMPP "by hand", but openssl s_client supports it. My intention behind STARTTLS support for LDAP is more the TLS part to check certificate chains, force some TLS versions or ciphers etc. I guess only less people are doing more than that "by hand" with the FTP or XMPP support in openssl s_client, too. And I'm definately not interested in creating a real dependency, but sending some LDAP-ish sequences to initiate a STARTTLS for LDAP should be possible without any OpenLDAP code dependency, I assume (that's about what happens for XMPP at the moment).

@robert-scheck robert-scheck mentioned this issue Jan 26, 2017
Closed
3 tasks
@robert-scheck
Copy link
Contributor Author

robert-scheck commented Jan 26, 2017
edited

Now that I did #2293, I was made aware by @rtandy that @quanah pointed out an existing patch at https://rt.openssl.org/Ticket/Display.html?id=2665 already years ago – which meanwhile lead to #1733 and #1735 (it seems to do indeed more than my PR does, but I'm unfortunately not knowledged enough to follow up #1735 though).

@richsalz
Copy link
Contributor

so many ldap PR's :) we'll have to sort this out.

@levitte
Copy link
Member

levitte commented Jan 26, 2017

Only two PRs, really... and they really do the same, one just happens to be a bit more verbose than the other (and easier to change, should it come to that)

@akostadinov
Copy link

Can this issue be closed as a duplicate of #1733 and possibly the PR moved forward?

@richsalz
Copy link
Contributor

Yes, dup of #1733.

@rmrf rmrf mentioned this issue Jul 17, 2017
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add LDAP support (RFC 4511) to s_client ("-starttls ldap")
5 participants
@levitte @vdukhovni @akostadinov @richsalz @robert-scheck