Project

General

Profile

Bug #58083

Add link to Guide that explains TLS and SSL encryption

Added by Sean McBride 2 months ago. Updated 7 days ago.

Status:
In Progress
Priority:
No priority
Assignee:
Aaron St. John
Category:
Documentation
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

In Directory Service > LDAP there is an option:

"Encryption Mode:" with 3 choices: Off, SSL, TLS.

This is rather confusing as TLS is basically the new name for SSL.

Does "SSL" mean SSLv3 and older I wondered? Does "TLS" mean TLSv1.0 and newer I wondered? To the docs! They say here:

http://doc.freenas.org/11/directoryservice.html#ldap

"Choices are Off, SSL, or TLS. Note that either SSL or TLS and a Certificate must be selected in order for authentication to work."

So no answer there.

The little question mark button in the GUI helps more, saying: "This parameter specifies whether to use SSL/TLS, e.g. on/off/start_tls"

So I suspect it's the exact same confusion as often happens with email, specifically:
https://www.fastmail.com/help/technical/ssltlsstarttls.html

I still don't know what the 3 choices mean, but I really think they need to be renamed, and for the help text and docs to also elaborate more.

History

#1 Updated by Dru Lavigne 2 months ago

  • Category changed from GUI (new) to Documentation
  • Assignee changed from Release Council to Warren Block
  • Target version changed from Backlog to 11.2-U2

#2 Updated by Sean McBride 2 months ago

After reading this:
https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol#StartTLS

My best guess of what FreeNAS actually means is:
SSL -> LDAPS aka "LDAP over SSL", port 636
TLS -> StartTLS, port 389

Can anyone confirm?

#3 Updated by Warren Block about 2 months ago

  • Assignee changed from Warren Block to Aaron St. John

#4 Updated by Aaron St. John 21 days ago

  • Status changed from Unscreened to In Progress
  • Needs Doc changed from Yes to No

#5 Updated by Sean McBride 19 days ago

Originally, I asked which is true: A or B:

(A) When the FreeNAS UI refers to "SSL" does it mean SSLv3? And when it refers to "TLS" does it mean TLSv1.x?

or

(B) Is it referring to this: https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol#StartTLS

i.e.:
"SSL" means: LDAPS aka "LDAP over SSL", port 636
"TLS" means: StartTLS, port 389

Those 2 PRs just add a link to https://www.globalsign.com/en/blog/ssl-vs-tls-difference/ which suggests you are answering (A). Is that so? I was pretty sure it's (B).

#6 Updated by Dru Lavigne 7 days ago

  • Subject changed from LDAP "Encryption Mode:" docs & UI unclear on "SSL" vs "TLS" choice to Add link to Guide that explains TLS and SSL encryption
  • Status changed from In Progress to Ready for Testing
  • Needs Merging changed from Yes to No

#7 Updated by Sean McBride 7 days ago

Well, I see you merged those commits. So you're saying it's (A) and not (B)? Do I need a wireshark capture to prove you wrong?

#8 Updated by Dru Lavigne 7 days ago

  • Status changed from Ready for Testing to In Progress
  • Needs Doc changed from No to Yes
  • Needs Merging changed from No to Yes

#9 Updated by Aaron St. John 7 days ago

  • Status changed from In Progress to Ready for Testing
  • Needs Doc changed from Yes to No
  • Needs Merging changed from Yes to No

Hello, Sean. Sorry for the confusion. I'm still working on clarifying your questions with another subject matter expert.

#10 Updated by Aaron St. John 7 days ago

  • Status changed from Ready for Testing to In Progress
  • Needs Doc changed from No to Yes
  • Needs Merging changed from No to Yes

#11 Updated by Sean McBride 7 days ago

OK, thanks. Because if I'm right, the recent commits make it even worse IMHO.

Also available in: Atom PDF