First, replace -h my.server.com -p 3269 with -H ldaps://my.server.com:3269 as suggested by @dearlbry. Then, in /etc/openldap/ldap.conf (or /etc/ldap/ldap.conf on my Ubuntu 13.04), disable certificate verification by adding this : HOST my.server.com PORT 3269 TLS_REQCERT ALLOW You can also create a ldaprc file in the current directory with the same content if you don’t want to … Read more
I was facing the same issue using JDK 11. But I resolved it by commenting this line in the java.security file: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, include jdk.disabled.namedCurves
The clearest explanation that I’ve read is from FastMail: SSL and TLS both provide a way to encrypt a communication channel between two computers (e.g. your computer and our server). TLS is the successor to SSL and the terms SSL and TLS are used interchangeably unless you’re referring to a specific version of the protocol. … Read more
You can’t, because as soon as you start using TLS, the conversation becomes encrypted, and you probably don’t speak that language 😉 Here is what you can do instead: openssl s_client -debug -starttls smtp -crlf -connect localhost:25 OpenSSL will do the STARTTLS handshake for you and you will be able to pick up the conversation … Read more
Yes, it is still a bad idea. Three reasons: While the RFC you cited (RFC 2487) is in fact obsoleted by the current standard RFC 3207, the current standard keeps the MUST NOT verbiage you quoted in your question. SMTP Clients are not required to implement STARTTLS. It is totally acceptable not to do so. … Read more
The answer, based on the STARTTLS RFC for SMTP (RFC 3207) is: STARTTLS is less secure than TLS. Instead of doing the talking myself, I will allow the RFC to speak for itself, with the four relevant bits highlighted in BOLD: A man-in-the-middle attack can be launched by deleting the “250 STARTTLS” response from the … Read more