On 2013-02-26 3:59 PM, Ben Morrow <ben@morrow.me.uk> wrote:
At 3PM -0500 on 26/02/13 you (Charles Marcus) wrote:
Now the only other question is, again already being contemplated by Timo apparently, why the config file uses SSL... Why not?
Because, as has been pointed out, TLS is the 'new', and SSL is the 'old'?
Timo, what I would suggest is allow the use of ssl in the config file for backwards compat, but change future versions to use TLS...
I would be against that idea.
My turn... why?
I'm curious though... I'm fairly certain that my Android phone differentiates between SSL and TLS, with choices something like:
NONE SSL if available SSL Always TLS if available TLS Always
And I always choose (chose - from now on I'll choose TLS) 'SSL Always', so shouldn't these connections show 'SSL' instead of TLS, since I'm basically forcing my phone to SSL?
I suspect the difference is that the 'SSL' options use imap-over-SSL on port 993 while the 'TLS' options use STARTTLS over port 143.
Don't know how you or Reindl came to that conclusion, because the ports are specified separately.
So, I can specify port 993, and TLS.
The IETF caused completely unnecessary confusion by using 'TLS' to refer to two different things: a (backwards-compatible) minor revision of the SSL protocol itself, and a change in the recommended way of using it. Almost all SSL connections nowadays will be using SSL 3.2 or 3.3 (that is, the TLS 1.1 or 1.2 protocol), even imaps and https connections using the old-fashioned approach of using a different port dedicated to SSL connections. In principle there's no reason why an IMAP STARTTLS connection couldn't negotiate SSL 2.0, but that would be a bad idea since SSL 2.0 is known to be insecure.
Well, you're obviously right about it being confusing, and that in and of itself is not a good thing...
Oh well, whatever, it isn't that big a deal...
--
Best regards,
*/Charles/*