What happens on the wire when a TLS / LDAP or TLS / HTTP connection is set up?

Question

I\'m rewording my question so hopefully I can get a better response. I asked a similar question on serverfault here, and think that a proper and valid TLS server i

Answer 1

The "STARTTLS command" is something that's defined outside the TLS spec. It's what a client sends to a server on a previously unencrypted connection to say "Ok, lets start a TLS negotiation now".

Not all protocols implement such a command. SMTP does, but HTTP and LDAP (as far as I'm aware) do not.

When an explicit command to begin TLS is not present, the usual alternative is to designate a specific port: like 443 for HTTP(s) and 636 for LDAP(s). In that case, the TLS negotiation begins as soon as the TCP connection is established.

A good tool for troubleshooting that is the "s_client" tool in openssl. For example:

openssl s_client -connect ldap.mycompany.com:636

will connect and dump out the server's certificate. Think of it as being like "Telnet" for a TLS connection. (Of course, LDAP is not a text-based protocol, so you can't do anything useful from the keyboard once the TLS connection is established.)