[Dovecot] Protocol logging - TLS vs SSL

Charles Marcus CMarcus at Media-Brokers.com
Tue Feb 26 23:19:14 EET 2013 

On 2013-02-26 3:59 PM, Ben Morrow <ben at morrow.me.uk> wrote:
> At  3PM -0500 on 26/02/13 you (Charles Marcus) wrote:
>> Now the only other question is, again already being contemplated by Timo
>> apparently, why the config file uses SSL...
> Why not?

Because, as has been pointed out, TLS is the 'new', and SSL is the 'old'?

>> Timo, what I would suggest is allow the use of ssl in the config file
>> for backwards compat, but change future versions to use TLS...

> I would be against that idea.

My turn... why?

>> I'm curious though... I'm fairly certain that my Android phone
>> differentiates between SSL and TLS, with choices something like:
>>
>> NONE
>> SSL if available
>> SSL Always
>> TLS if available
>> TLS Always
>>
>> And I always choose (chose - from now on I'll choose TLS) 'SSL Always',
>> so shouldn't these connections show 'SSL' instead of TLS, since I'm
>> basically forcing my phone to SSL?

> I suspect the difference is that the 'SSL' options use imap-over-SSL on
> port 993 while the 'TLS' options use STARTTLS over port 143.

Don't know how you or Reindl came to that conclusion, because the ports 
are specified separately.

So, I can specify port 993, and TLS.

> The IETF caused completely unnecessary confusion by using 'TLS' to refer to two
> different things: a (backwards-compatible) minor revision of the SSL
> protocol itself, and a change in the recommended way of using it. Almost
> all SSL connections nowadays will be using SSL 3.2 or 3.3 (that is, the
> TLS 1.1 or 1.2 protocol), even imaps and https connections using the
> old-fashioned approach of using a different port dedicated to SSL
> connections. In principle there's no reason why an IMAP STARTTLS
> connection couldn't negotiate SSL 2.0, but that would be a bad idea
> since SSL 2.0 is known to be insecure.

Well, you're obviously right about it being confusing, and that in and 
of itself is not a good thing...

Oh well, whatever, it isn't that big a deal...

-- 

Best regards,

*/Charles/*

More information about the dovecot mailing list