[Dovecot] Protocol logging - TLS vs SSL

Ben Morrow ben at morrow.me.uk
Wed Feb 27 00:28:01 EET 2013


At  4PM -0500 on 26/02/13 you (Charles Marcus) wrote:
> On 2013-02-26 3:59 PM, Ben Morrow <ben at morrow.me.uk> wrote:
> > At  3PM -0500 on 26/02/13 you (Charles Marcus) wrote:
> >> Now the only other question is, again already being contemplated by Timo
> >> apparently, why the config file uses SSL...
> > Why not?
> 
> Because, as has been pointed out, TLS is the 'new', and SSL is the 'old'?
> 
> >> Timo, what I would suggest is allow the use of ssl in the config file
> >> for backwards compat, but change future versions to use TLS...
> 
> > I would be against that idea.
> 
> My turn... why?

I'm generally against gratuitous changes for no good reason.

> >> I'm curious though... I'm fairly certain that my Android phone
> >> differentiates between SSL and TLS, with choices something like:
> >>
> >> NONE
> >> SSL if available
> >> SSL Always
> >> TLS if available
> >> TLS Always
> >>
> >> And I always choose (chose - from now on I'll choose TLS) 'SSL Always',
> >> so shouldn't these connections show 'SSL' instead of TLS, since I'm
> >> basically forcing my phone to SSL?
> 
> > I suspect the difference is that the 'SSL' options use imap-over-SSL on
> > port 993 while the 'TLS' options use STARTTLS over port 143.
> 
> Don't know how you or Reindl came to that conclusion, because the ports 
> are specified separately.
>
> So, I can specify port 993, and TLS.

OK. What happens if you do that? Does the client start with an SSL
ClientHello, or does it start by waiting for a plain-text OK IMAP
response and then issuing CAPABILITY or STARTTLS in plain text? I
suspect it does the latter, which will not work with any ordinarily-
configured IMAP server (though of course it would be *possible* to
configure Dovecot to support that).

Ben



More information about the dovecot mailing list