!!! Overview
[{$pagename}] is an implementation of that allows [Opportunistic TLS] communication with clients.

## [{$pagename}] [Implementation Vulnerabilities|Implementation Vulnerability]
Vulnerabilities illustrate that implementing [{$pagename}] correctly is challenging. 

%%warning
Preferring implicit [TLS] on its own ports
%%

[{$applicationname}] therefore recommend avoiding [{$pagename}] when possible and ideally deprecating it in the long term, at least for client-to-server communication. This recommendation is in line with  [RFC 8314] , which already recommends preferring implicit [TLS] on its own ports over [{$pagename}].


!! [{$pagename}] [LDAP]
[{$pagename}] for [LDAP] to use the same network port for both secure and insecure communication.

[{$pagename}] for [LDAP] is implemented as a [Extended Request] that can be used to initiate a [TLS]-secured communication channel over an otherwise clear-text connection. 
 
The [LDAP] [{$pagename}] [SupportedExtension] operation is defined in [RFC 4511] and further described in [RFC 4513].  


The [{$pagename}] extended operation uses an [OID] of [1.3.6.1.4.1.1466.20037] with no value.  The response includes an [OID] of [1.3.6.1.4.1.1466.20037] (the same as the request [OID]) with no value.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [!!! Vulnerabilities show fragility of STARTTLS
|https://www.feistyduck.com/bulletproof-tls-newsletter/issue_80_vulnerabilities_show_fragility_of_starttls|target='_blank'] - based on information obtained 2021-08-31