Clarify TLS and SSL descriptions in Guide
In Directory Service > LDAP there is an option:
"Encryption Mode:" with 3 choices: Off, SSL, TLS.
This is rather confusing as TLS is basically the new name for SSL.
Does "SSL" mean SSLv3 and older I wondered? Does "TLS" mean TLSv1.0 and newer I wondered? To the docs! They say here:
"Choices are Off, SSL, or TLS. Note that either SSL or TLS and a Certificate must be selected in order for authentication to work."
So no answer there.
The little question mark button in the GUI helps more, saying: "This parameter specifies whether to use SSL/TLS, e.g. on/off/start_tls"
So I suspect it's the exact same confusion as often happens with email, specifically:
I still don't know what the 3 choices mean, but I really think they need to be renamed, and for the help text and docs to also elaborate more.
After reading this:
My best guess of what FreeNAS actually means is:
SSL -> LDAPS aka "LDAP over SSL", port 636
TLS -> StartTLS, port 389
Can anyone confirm?
Originally, I asked which is true: A or B:
(A) When the FreeNAS UI refers to "SSL" does it mean SSLv3? And when it refers to "TLS" does it mean TLSv1.x?
(B) Is it referring to this: https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol#StartTLS
"SSL" means: LDAPS aka "LDAP over SSL", port 636
"TLS" means: StartTLS, port 389
Those 2 PRs just add a link to https://www.globalsign.com/en/blog/ssl-vs-tls-difference/ which suggests you are answering (A). Is that so? I was pretty sure it's (B).
Sean McBride wrote:
OK, thanks. Because if I'm right, the recent commits make it even worse IMHO.
Hello, Sean. I've just confirmed with two others about your questions. You are correct.
In short, we have
if self.ssl in (FREENAS_LDAP_NOSSL, FREENAS_LDAP_USETLS): proto = "ldap" elif self.ssl == FREENAS_LDAP_USESSL: proto = "ldaps"
Thus, if you chose SSL, it's ldaps protocol (over port 636). Otherwise, choosing TLS it's ldap protocol using the TLS protocol over port 389.
I will be adding this to the docs shortly.
Sean McBride wrote:
That's much better, thanks!
Could we not go further and change the actual UI from:
Encryption Mode: Off, SSL, TLS.
to something like:
Encryption Mode: Off, LDAPS, StartTLS.
Thanks for the suggestion. Due to that being a feature request I will open a separate ticket and relate this one to it.