[Dovecot] Protocol logging - TLS vs SSL

Ben Morrow ben at morrow.me.uk
Tue Feb 26 22:59:41 EET 2013


At  3PM -0500 on 26/02/13 you (Charles Marcus) wrote:
> 
> Now the only other question is, again already being contemplated by Timo 
> apparently, why the config file uses SSL...

Why not?

> Timo, what I would suggest is allow the use of ssl in the config file 
> for backwards compat, but change future versions to use TLS...

I would be against that idea.

> I'm curious though... I'm fairly certain that my Android phone 
> differentiates between SSL and TLS, with choices something like:
> 
> NONE
> SSL if available
> SSL Always
> TLS if available
> TLS Always
> 
> And I always choose (chose - from now on I'll choose TLS) 'SSL Always', 
> so shouldn't these connections show 'SSL' instead of TLS, since I'm 
> basically forcing my phone to SSL?

I suspect the difference is that the 'SSL' options use imap-over-SSL on
port 993 while the 'TLS' options use STARTTLS over port 143. The IETF
caused completely unnecessary confusion by using 'TLS' to refer to two
different things: a (backwards-compatible) minor revision of the SSL
protocol itself, and a change in the recommended way of using it. Almost
all SSL connections nowadays will be using SSL 3.2 or 3.3 (that is, the
TLS 1.1 or 1.2 protocol), even imaps and https connections using the
old-fashioned approach of using a different port dedicated to SSL
connections. In principle there's no reason why an IMAP STARTTLS
connection couldn't negotiate SSL 2.0, but that would be a bad idea
since SSL 2.0 is known to be insecure.

Ben



More information about the dovecot mailing list