[Dovecot] Protocol logging - TLS vs SSL
Hi all,
Ok, I have:
login_log_format_elements = user=<%u> method=%m rip=%r lport=%{lport} mpid=%e %c session=<%{session}>
We only allow inbound IMAP, and only SSL on port 993.
Looking at the logs, %c is obviously the encryption type, but...
Why does it say 'TLS', when it technically (there is a difference after all) should say 'SSL'?
Not a big deal, but it is just something I've been meaning to ask.
--
Best regards,
*/Charles/*
Am 26.02.2013 21:05, schrieb Charles Marcus:
Why does it say 'TLS', when it technically (there is a difference after all) should say 'SSL'? Not a big deal, but it is just something I've been meaning to ask
because it is practically the same? http://en.wikipedia.org/wiki/Transport_Layer_Security
On 2013-02-26 3:09 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
Am 26.02.2013 21:05, schrieb Charles Marcus:
Why does it say 'TLS', when it technically (there is a difference after all) should say 'SSL'? Not a big deal, but it is just something I've been meaning to ask because it is practically the same? http://en.wikipedia.org/wiki/Transport_Layer_Security
Practically - but not *exactly*, hence my use of the word 'technically'...
Maybe I'm picking nits, but that doesn't change the fact that they are *not* exactly the same.
--
Best regards,
*/Charles/*
On 26.2.2013, at 22.18, Charles Marcus <CMarcus@Media-Brokers.com> wrote:
On 2013-02-26 3:09 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
Am 26.02.2013 21:05, schrieb Charles Marcus:
Why does it say 'TLS', when it technically (there is a difference after all) should say 'SSL'? Not a big deal, but it is just something I've been meaning to ask because it is practically the same? http://en.wikipedia.org/wiki/Transport_Layer_Security
Practically - but not *exactly*, hence my use of the word 'technically'...
Maybe I'm picking nits, but that doesn't change the fact that they are *not* exactly the same.
Technically you're almost definitely using the TLS protocol (it has nothing to do with ports). http://wiki2.dovecot.org/SSL has some info about Dovecot's naming. (Of course, in Dovecot it's somewhat confusing since the config files use SSL but the logs use TLS.. uhm..)
Am 26.02.2013 21:18, schrieb Charles Marcus:
On 2013-02-26 3:09 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
Am 26.02.2013 21:05, schrieb Charles Marcus:
Why does it say 'TLS', when it technically (there is a difference after all) should say 'SSL'? Not a big deal, but it is just something I've been meaning to ask because it is practically the same? http://en.wikipedia.org/wiki/Transport_Layer_Security
Practically - but not *exactly*, hence my use of the word 'technically'... Maybe I'm picking nits, but that doesn't change the fact that they are *not* exactly the same
ah so enlighten us about the big difference you see and what in SSL is not "transport layer security"
http://msdn.microsoft.com/en-us/library/windows/desktop/aa380515%28v=vs.85%2... TLS is a standard closely related to SSL 3.0, and is sometimes referred to as "SSL 3.1"
On 2013-02-26 3:22 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
ah so enlighten us about the big difference you see and what in SSL is not "transport layer security" http://msdn.microsoft.com/en-us/library/windows/desktop/aa380515%28v=vs.85%2... TLS is a standard closely related to SSL 3.0, and is sometimes referred to as "SSL 3.1"
Reindl, you really need to learn how not to be such a total ass.
How precisely do you equate 'not *exactly* the same', and there is a 'big difference'.
Again, there *is* a technical difference, albeit minor:
http://kb.iu.edu/data/anjv.html
Anyway, as usual, Timo is spot on... Thunderbird has the choice of 'SSL/TLS', and I imagine it is because TLS uses stronger encryption algorithms (which I just learned) that Dovecot uses it when given the choice.
Now the only other question is, again already being contemplated by Timo apparently, why the config file uses SSL...
Timo, what I would suggest is allow the use of ssl in the config file for backwards compat, but change future versions to use TLS...
I'm curious though... I'm fairly certain that my Android phone differentiates between SSL and TLS, with choices something like:
NONE SSL if available SSL Always TLS if available TLS Always
And I always choose (chose - from now on I'll choose TLS) 'SSL Always', so shouldn't these connections show 'SSL' instead of TLS, since I'm basically forcing my phone to SSL?
--
Best regards,
*/Charles/*
On 26.2.2013, at 22.46, Charles Marcus <CMarcus@Media-Brokers.com> wrote:
I'm curious though... I'm fairly certain that my Android phone differentiates between SSL and TLS, with choices something like:
NONE SSL if available SSL Always TLS if available TLS Always
And I always choose (chose - from now on I'll choose TLS) 'SSL Always', so shouldn't these connections show 'SSL' instead of TLS, since I'm basically forcing my phone to SSL?
Those aren't really about SSL/TLS either. The same choices in slightly better words are:
- none
- TLS on port 993 if available
- TLS on port 993 always
- STARTTLS on port 143 if available
- STARTTLS on port 143 always
On 2013-02-26 3:50 PM, Timo Sirainen <tss@iki.fi> wrote:
Those aren't really about SSL/TLS either. The same choices in slightly better words are:
- none
- TLS on port 993 if available
- TLS on port 993 always
- STARTTLS on port 143 if available
- STARTTLS on port 143 always
Great... I guess its (the confusion) even worse than I thought.
Thanks Timo, I'll bow out of this conversation now and just forget I asked the question...
--
Best regards,
*/Charles/*
Am 26.02.2013 21:46, schrieb Charles Marcus:
On 2013-02-26 3:22 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
ah so enlighten us about the big difference you see and what in SSL is not "transport layer security" http://msdn.microsoft.com/en-us/library/windows/desktop/aa380515%28v=vs.85%2... TLS is a standard closely related to SSL 3.0, and is sometimes referred to as "SSL 3.1"
Reindl, you really need to learn how not to be such a total ass
you have no idea how i act if i want to be an ass
How precisely do you equate 'not *exactly* the same', and there is a 'big difference'. Again, there *is* a technical difference, albeit minor: http://kb.iu.edu/data/anjv.html
not really
Anyway, as usual, Timo is spot on... Thunderbird has the choice of 'SSL/TLS'
to show the ordinary user it is practically the same while STARTTLS starts with a unencrypted connection to do a handshake
and I imagine it is because TLS uses
stronger encryption algorithms (which I just learned) that Dovecot uses it when given the choice.
bruahaha
TLS is practically the next SSL version after SSL 3.0 and internally SSL 3.x, in fact it is only a wording issue
NONE SSL if available SSL Always TLS if available TLS Always
And I always choose (chose - from now on I'll choose TLS) 'SSL Always', so shouldn't these connections show 'SSL' instead of TLS, since I'm basically forcing my phone to SSL?
pfffffff
SSL if available: use port 993 if available, but you may use 143 unecnrypted SSL Always: use always port 993 TLS if available: use STARTLS on 143 if available, but if not use no encryption TLS Always: use always STARTTLS on 143
Am 26.02.2013 21:55, schrieb Reindl Harald:
to show the ordinary user it is practically the same while STARTTLS starts with a unencrypted connection to do a handshake
and I imagine it is because TLS uses
stronger encryption algorithms (which I just learned) that Dovecot uses it when given the choice
bruahaha
TLS is practically the next SSL version after SSL 3.0 and internally SSL 3.x, in fact it is only a wording issue
and to make you completly weird
dovecot, postfix and many others are using OpenSSL libraries which does oh wonder TLS while GnuTLS can do SSL as well
On 2013-02-26 3:58 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
and to make you completly weird
dovecot, postfix and many others are using OpenSSL libraries which does oh wonder TLS while GnuTLS can do SSL as well
Absolutely no idea what you said or meant here...
--
Best regards,
*/Charles/*
Am 26.02.2013 22:41, schrieb Charles Marcus:
On 2013-02-26 3:58 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
and to make you completly weird
dovecot, postfix and many others are using OpenSSL libraries which does oh wonder TLS while GnuTLS can do SSL as well
Absolutely no idea what you said or meant here...
if it is not the same why are doing GnuTLS and OpenSSL finnaly both? HMM - because TLS is SSL3.1 is the reason and in fact due development it was indeed called SSL3.1 before someone changed the name to TLS
At 10PM +0100 on 26/02/13 you (Reindl Harald) wrote:
Am 26.02.2013 22:41, schrieb Charles Marcus:
Absolutely no idea what you said or meant here...
if it is not the same why are doing GnuTLS and OpenSSL finnaly both? HMM - because TLS is SSL3.1 is the reason and in fact due development it was indeed called SSL3.1 before someone changed the name to TLS
Even if punctuation is too much to ask, could you at least *try* to write coherent English sentences?
Ben
Am 26.02.2013 23:30, schrieb Ben Morrow:
At 10PM +0100 on 26/02/13 you (Reindl Harald) wrote:
Am 26.02.2013 22:41, schrieb Charles Marcus:
Absolutely no idea what you said or meant here...
if it is not the same why are doing GnuTLS and OpenSSL finnaly both? HMM - because TLS is SSL3.1 is the reason and in fact due development it was indeed called SSL3.1 before someone changed the name to TLS
Even if punctuation is too much to ask, could you at least *try* to write coherent English sentences?
in short for you: TLS === SSL 3.1
could the OP at least read basic documentations is the better question
Ok, this really will be my last email on the subject...
On 2013-02-26 3:20 PM, Timo Sirainen <tss@iki.fi> wrote:
Technically you're almost definitely using the TLS protocol (it has nothing to do with ports). http://wiki2.dovecot.org/SSL has some info about Dovecot's naming. (Of course, in Dovecot it's somewhat confusing since the config files use SSL but the logs use TLS.. uhm..)
Ok, I think I understand now, thanks Timo..
So, since (apparently) the 'new' correct term is TLS, why not change all of dovecots documentation (including the wiki) and the config code/files to reference it correctly? Not doing so, in my opinion, just perpetuates the confusion.
So, add the new tls/tls_ settings, keep the old ssl/ssl_ settings for backwards compat, document this clearly everywhere, especially on the wiki, and let doveconf -[d][n] output show explanatory text that the older ssl/ssl_ settings are deprecated in favor of the new tls/tls_ settings whenever someone is using them.
Dovecot's wiki page could then be a good general reference for de-confusing others (like me)... ;)
Also - I'd be very much in favor of the logging the precise version of TLS that is being used - ie, TLS_1.#, rather than just the generic 'TLS'.
On 2013-02-26 5:10 PM, Noel <noeldude@gmail.com> wrote:
This is just a dumbing-down of the terms for the mass market. <snip> Anyone who's confused by this is trying too hard. It's really all TLS.
Yeah, I figured that all out now, thanks to the gentle prodding by Reindl.
Thanks Noel. Fwiw, I really hate ambiguity (especially with respect to things technical), so this will always bother me, but not much I can do about it. At least now I know.
And I just noticed that Thunderbird actually does it right (although it should be TLS/SSL, not SSL/TLS, since TLS is the 'new/correct' term)... cool...
On 2013-02-26 5:28 PM, Ben Morrow <ben@morrow.me.uk> wrote:
I'm generally against gratuitous changes for no good reason.
Me too... but I don't see a change that makes dovecot use the *correct* terminology for TLS/SSL in both its documentation and logging as 'gratuitous change', but that is just me. If you really do, then I guess we'll just have to agree to disagree.
--
Best regards,
*/Charles/*
On 2013-02-26 3:55 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
TLS is practically the next SSL version after SSL 3.0 and internally SSL 3.x, in fact it is only a wording issue
Prove it.
In fact, there is obviously plenty of confusion about it (based on just a few minutes of googling), but, I'm inclined to agree with you on this point.
NONE SSL if available SSL Always TLS if available TLS Always
pfffffff
SSL if available: use port 993 if available, but you may use 143 unecnrypted SSL Always: use always port 993 TLS if available: use STARTLS on 143 if available, but if not use no encryption TLS Always: use always STARTTLS on 143
pffffffffff yourself - in fact, I just visually confirmed...
The native Android mail shows these choices:
None SSL SSL (Accept all certificates) TLS TLS (Accept all certificates)
and the K-9 mail app shows these:
None SSL (if available) SSL (always) TLS (if available) TLS (always)
And again, the port is specified in its own box, so is *not* tied to one of these choices.
If memory serves, the iPhone is similar (the port is totally separate from the security type).
--
Best regards,
*/Charles/*
Am 26.02.2013 22:38, schrieb Charles Marcus:
On 2013-02-26 3:55 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
TLS is practically the next SSL version after SSL 3.0 and internally SSL 3.x, in fact it is only a wording issue
Prove it.
dmaned i have proven it at least a hour ago read the first line of the follwoing link
http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0 TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As stated in the RFC, "the differences between this protocol and SSL 3.0 are not dramatic, but they are significant to preclude interoperability between TLS 1.0 and SSL 3.0. " TLS 1.0 does include a means by which a TLS implementation can downgrade the connection to SSL 3.0, thus weakening security.
pfffffff
SSL if available: use port 993 if available, but you may use 143 unecnrypted SSL Always: use always port 993 TLS if available: use STARTLS on 143 if available, but if not use no encryption TLS Always: use always STARTTLS on 143
pffffffffff yourself - in fact, I just visually confirmed... The native Android mail shows these choices
it does not interest rme what you have VISUALLY confirmed there are only two choices:
the client does show you bullshit because it is not his job to explain you the differences and it knows better than you that on 143 he has to use STARTTLS which he can not do on 993
the client fails with STARTTLS on 993 or TLS/SSL on 143, the same for smpts/pop3s
i guess he does the first of the two choices
in fact 993 is SSL/TLS and NOT STARTTLS in fact 143 is unencrypted or STARTTLS
try it out, configure postfix 587/465 the wrong way around and look what happens, or configure postfix to realy to a server via SSL on port 465 with doe snot support STARTLS and look what happens
Google: "difference ssl starttls" http://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html
here have you a real good explaination WHAT STARTTLS is and yes, in this context there is no difference between pop3/imap3/smtp http://www.postfix.org/CVE-2011-0411.html
Am 26.02.2013 22:49, schrieb Reindl Harald:
Am 26.02.2013 22:38, schrieb Charles Marcus:
On 2013-02-26 3:55 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
TLS is practically the next SSL version after SSL 3.0 and internally SSL 3.x, in fact it is only a wording issue
Prove it
and i prove it again http://www.freesoft.org/CIE/Topics/121.htm
TLS is documented in RFC 2246 and identifies itself in the protocol version field as SSL 3.1
if you need more informations please consult google, RFC's and manpages, the dovecot list is simply the wrong place
SSL Version 3, documented in an IETF draft, provides one of the most commonly available security mechanisms on the Internet. SSL stands for Secure Sockets Layer, though IETF has renamed it TLS (Transport Layer Security). TLS is documented in RFC 2246 and identifies itself in the protocol version field as SSL 3.1
On 2/26/2013 3:38 PM, Charles Marcus wrote:
The native Android mail shows these choices:
None SSL SSL (Accept all certificates) TLS TLS (Accept all certificates)
This is just a dumbing-down of the terms for the mass market. Many end-user mail clients use these same terms, so at least they have a little consistency.
In this case: SSL means wrapper mode TLS (not really SSL unless that's all the server supports) TLS means STARTTLS (can fall back to SSL if that's all the server supports)
As you know, there are common ports for wrapper mode and STARTTLS, and they aren't compatible. The SSL/TLS designation, while not technically correct, is a convenient way to tell users which to pick without a long on-screen description.
Anyone who's confused by this is trying too hard. It's really all TLS.
-- Noel Jones
At 3PM -0500 on 26/02/13 you (Charles Marcus) wrote:
Now the only other question is, again already being contemplated by Timo apparently, why the config file uses SSL...
Why not?
Timo, what I would suggest is allow the use of ssl in the config file for backwards compat, but change future versions to use TLS...
I would be against that idea.
I'm curious though... I'm fairly certain that my Android phone differentiates between SSL and TLS, with choices something like:
NONE SSL if available SSL Always TLS if available TLS Always
And I always choose (chose - from now on I'll choose TLS) 'SSL Always', so shouldn't these connections show 'SSL' instead of TLS, since I'm basically forcing my phone to SSL?
I suspect the difference is that the 'SSL' options use imap-over-SSL on port 993 while the 'TLS' options use STARTTLS over port 143. The IETF caused completely unnecessary confusion by using 'TLS' to refer to two different things: a (backwards-compatible) minor revision of the SSL protocol itself, and a change in the recommended way of using it. Almost all SSL connections nowadays will be using SSL 3.2 or 3.3 (that is, the TLS 1.1 or 1.2 protocol), even imaps and https connections using the old-fashioned approach of using a different port dedicated to SSL connections. In principle there's no reason why an IMAP STARTTLS connection couldn't negotiate SSL 2.0, but that would be a bad idea since SSL 2.0 is known to be insecure.
Ben
On 2013-02-26 3:59 PM, Ben Morrow <ben@morrow.me.uk> wrote:
At 3PM -0500 on 26/02/13 you (Charles Marcus) wrote:
Now the only other question is, again already being contemplated by Timo apparently, why the config file uses SSL... Why not?
Because, as has been pointed out, TLS is the 'new', and SSL is the 'old'?
Timo, what I would suggest is allow the use of ssl in the config file for backwards compat, but change future versions to use TLS...
I would be against that idea.
My turn... why?
I'm curious though... I'm fairly certain that my Android phone differentiates between SSL and TLS, with choices something like:
NONE SSL if available SSL Always TLS if available TLS Always
And I always choose (chose - from now on I'll choose TLS) 'SSL Always', so shouldn't these connections show 'SSL' instead of TLS, since I'm basically forcing my phone to SSL?
I suspect the difference is that the 'SSL' options use imap-over-SSL on port 993 while the 'TLS' options use STARTTLS over port 143.
Don't know how you or Reindl came to that conclusion, because the ports are specified separately.
So, I can specify port 993, and TLS.
The IETF caused completely unnecessary confusion by using 'TLS' to refer to two different things: a (backwards-compatible) minor revision of the SSL protocol itself, and a change in the recommended way of using it. Almost all SSL connections nowadays will be using SSL 3.2 or 3.3 (that is, the TLS 1.1 or 1.2 protocol), even imaps and https connections using the old-fashioned approach of using a different port dedicated to SSL connections. In principle there's no reason why an IMAP STARTTLS connection couldn't negotiate SSL 2.0, but that would be a bad idea since SSL 2.0 is known to be insecure.
Well, you're obviously right about it being confusing, and that in and of itself is not a good thing...
Oh well, whatever, it isn't that big a deal...
--
Best regards,
*/Charles/*
Am 26.02.2013 22:19, schrieb Charles Marcus:
On 2013-02-26 3:59 PM, Ben Morrow <ben@morrow.me.uk> wrote:
At 3PM -0500 on 26/02/13 you (Charles Marcus) wrote:
Now the only other question is, again already being contemplated by Timo apparently, why the config file uses SSL... Why not?
Because, as has been pointed out, TLS is the 'new', and SSL is the 'old'?
and you still do not understand that it is the same
Timo, what I would suggest is allow the use of ssl in the config file for backwards compat, but change future versions to use TLS...
I would be against that idea.
My turn... why?
because it is a useless change which makes code complexer and more error proof
And I always choose (chose - from now on I'll choose TLS) 'SSL Always', so shouldn't these connections show 'SSL' instead of TLS, since I'm basically forcing my phone to SSL?
I suspect the difference is that the 'SSL' options use imap-over-SSL on port 993 while the 'TLS' options use STARTTLS over port 143.
Don't know how you or Reindl came to that conclusion, because the ports are specified separately.
because if you would spend 10 seconds of your time with a default tunderbird setup you would see that STARTTLS is 143 and TLS/SSL is 993 because the port switchs with the dropdown change
So, I can specify port 993, and TLS.
and if you specify STARTTLS on port 993 it would not work also SSL/TLS without STARTTLS on 143 would not work
why?
because 143 is STARTTLS (google) and 993 is SSL
the same for SMTP
STARTTLS: 25 or 587 (submission) SSL/TLS: 465 (deprecated and NOT STARTTLS)
Well, you're obviously right about it being confusing, and that in and of itself is not a good thing... Oh well, whatever, it isn't that big a deal...
and that is why ANY touching of server source code is not worth
On 2013-02-26 4:26 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
Am 26.02.2013 22:19, schrieb Charles Marcus:
On 2013-02-26 3:59 PM, Ben Morrow <ben@morrow.me.uk> wrote:
At 3PM -0500 on 26/02/13 you (Charles Marcus) wrote:
Now the only other question is, again already being contemplated by Timo apparently, why the config file uses SSL... Why not? Because, as has been pointed out, TLS is the 'new', and SSL is the 'old'? and you still do not understand that it is the same
I meant the new NAME. But obviously you're more interested in picking fights than having a conversation.
Timo, what I would suggest is allow the use of ssl in the config file for backwards compat, but change future versions to use TLS...
I would be against that idea.
My turn... why?
because it is a useless change which makes code complexer and more error proof
Assuming you meant error-PRONE, that is ridiculous.
Postfix does things like this all the time (implementing something new but maintaining the old way for backwards compat). If it is done right, it won't hurt a thing (and I think we all know timo knows how to do things right).
And I always choose (chose - from now on I'll choose TLS) 'SSL Always', so shouldn't these connections show 'SSL' instead of TLS, since I'm basically forcing my phone to SSL? I suspect the difference is that the 'SSL' options use imap-over-SSL on port 993 while the 'TLS' options use STARTTLS over port 143. Don't know how you or Reindl came to that conclusion, because the ports are specified separately. because if you would spend 10 seconds of your time with a default tunderbird setup you would see that STARTTLS is 143 and TLS/SSL is 993 because the port switchs with the dropdown change
Yes, but again, they are independent, and you can change the port if you like.
Question: can you use arbitrary ports for secure IMAP/POP/SMTP? I don't see why not. You can use arbitrary ports for secure http...
--
Best regards,
*/Charles/*
Am 26.02.2013 23:03, schrieb Charles Marcus:
Question: can you use arbitrary ports for secure IMAP/POP/SMTP? I don't see why not. You can use arbitrary ports for secure http...
you still refuse to understand the difference between STARTTLS and SSL/TLS, we are speaking about 143/993 to not confuse your ignorance by bliss more as it is already the case
postfix example for port 465, YES YOU CAN sue any other of the 65535 BUT if you configure "smtpd_tls_wrappermode=yes" for smtp on port 25 you will never ever receive any ssl/tls encrypted message because it is NOT STARTTLS and and least posfix does not support tsl_wrappermode for smtp AKA outgoing mail
http://www.postfix.org/TLS_README.html#client_tls
Although the Postfix SMTP client by itself doesn't support TLS wrapper mode, it is relatively easy to forward a connection through the stunnel program if Postfix needs to deliver mail to some legacy system that doesn't support STARTTLS
if you still refuse to understand the difference i fear nobody is able to help you on this world - people can write manpages for you but you have to read them by yur own
smtps inet n - n - 20 smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_delay_reject=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_tls_wrappermode=yes
On Feb 26, 2013, at 4:12 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
Am 26.02.2013 23:03, schrieb Charles Marcus:
Question: can you use arbitrary ports for secure IMAP/POP/SMTP? I don't see why not. You can use arbitrary ports for secure http...
you still refuse to understand the difference between STARTTLS and SSL/TLS, we are speaking about 143/993 to not confuse your ignorance by bliss more as it is already the case
*scribble scribble scribble*
Can you two take it off list, for the love of FSM? Interesting that whenever I see dovecot@dovecot.org blowing up my inbox, one or both of you are always involved.
-bdh
At 4PM -0500 on 26/02/13 you (Charles Marcus) wrote:
On 2013-02-26 3:59 PM, Ben Morrow <ben@morrow.me.uk> wrote:
At 3PM -0500 on 26/02/13 you (Charles Marcus) wrote:
Now the only other question is, again already being contemplated by Timo apparently, why the config file uses SSL... Why not?
Because, as has been pointed out, TLS is the 'new', and SSL is the 'old'?
Timo, what I would suggest is allow the use of ssl in the config file for backwards compat, but change future versions to use TLS...
I would be against that idea.
My turn... why?
I'm generally against gratuitous changes for no good reason.
I'm curious though... I'm fairly certain that my Android phone differentiates between SSL and TLS, with choices something like:
NONE SSL if available SSL Always TLS if available TLS Always
And I always choose (chose - from now on I'll choose TLS) 'SSL Always', so shouldn't these connections show 'SSL' instead of TLS, since I'm basically forcing my phone to SSL?
I suspect the difference is that the 'SSL' options use imap-over-SSL on port 993 while the 'TLS' options use STARTTLS over port 143.
Don't know how you or Reindl came to that conclusion, because the ports are specified separately.
So, I can specify port 993, and TLS.
OK. What happens if you do that? Does the client start with an SSL ClientHello, or does it start by waiting for a plain-text OK IMAP response and then issuing CAPABILITY or STARTTLS in plain text? I suspect it does the latter, which will not work with any ordinarily- configured IMAP server (though of course it would be *possible* to configure Dovecot to support that).
Ben
At 9PM +0100 on 26/02/13 you (Reindl Harald) wrote:
TLS is a standard closely related to SSL 3.0, and is sometimes referred to as "SSL 3.1"
More specifically, TLS x.y is just SSL (x+2).(y+1) with a completely unnecessary name and version change. For example, TLS 1.2 internally identifies itself as SSL 3.3.
Ben
participants (6)
-
Ben Morrow
-
Brian Hayden
-
Charles Marcus
-
Noel
-
Reindl Harald
-
Timo Sirainen