TLS is Transport Layer Security, the public version of the SSL protocol originally developed by Netscape. It’s used today to secure many client server connections over TCP/IP networks, including web (HTTP), email (SMTP), directory (LDAP) connections as well as many more types of traffic. It’s fairly easy to set up and maintain. You have to be concerned with and schedule certificate replacements and deployments, but that can be easily accomplished with a solid procedure that can be dovetailed into the rest of the periodic system auditing and maintenance work.

Opportunistic TLS means that a server will accept TLS connections from the client if the client asks for TLS in its handshake, but it won’t require it. When the opportunity arises that a client does request TLS, a TLS session will be created and encrypt the traffic of the connection. This is useful typically for servers who don’t know who their always going to have to serve data to and must allow either TLS or non-TLS connections.

Required TLS is forcing TLS and preventing traffic if TLS is not established between the two endpoints of the connection. You can require TLS at both the server side and client side. Some implementations allow finer grain control, like IP lists of servers to require TLS for. Many email implementations such as Postfix and McAfee Email Protection Services boast of this functionality.

OpenLDAP REQCERT and TLSVerifyClient: LDAP implementations have the TLS_REQCERT option in the client and TLSVerifyClient in the server. Each controls whether to allow a connection based on whether or not the other side has a valid certificate or not. They each have a “try” option which is also a form of Opportunistic TLS.

If you are interested in security the traffic of your network or internet connections, you can contact Rex Consulting today. We have a wealth of experience in TLS encryption on many applications such as email servers, LDAP servers, and web servers.

© Copyright 2020 Rex Consulting, Inc. – All rights reserved