This documentation is for Dovecot v1.x, see wiki2 for v2.x documentation.
Differences between revisions 18 and 19
Revision 18 as of 2011-05-31 21:03:08
Size: 2451
Editor: raraku
Comment: removing link spam
Revision 19 as of 2011-08-29 01:27:30
Size: 2796
Editor: TimoSirainen
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= SSL =

— A Certificate Authority is a trusted third-party organization that issues digital certificates such as SSL Certificates after verifying the information included in the Certificates.
= SSL =
Line 10: Line 8:
Using two separate ports for plaintext and SSL connections was thought to be wasteful, so STARTTLS intended to deprecate the SSL ports (imaps, pop3s, smtps, etc). This never really happened, probably because of two reasons: Originally SSL support was added to protocols by giving them a separate "SSL port" (imaps, pop3s, etc.), where the SSL handshake starts immediately when client connects, and only after the session is encrypted the regular protocol handling begins. Using two separate ports for plaintext and SSL connections was thought to be wasteful, so STARTTLS command was added and intended to deprecate the SSL ports. Clients using STARTTLS work by connecting to the regular unencrypted port and immediately issue a STARTTLS command, after which the session is encrypted. After SSL handshake there is no difference between SSL port initiated connections and STARTTLS initiated connections.

SSL port deprecation never really happened, probably because of a few reasons:

SSL

SSL and TLS terms are often used in confusing ways:

  • SSL (Secure Sockets Layer) is the original protocol implementation. SSLv3 is still allowed by Dovecot, but it's rarely used. Some clients use SSL to mean that they're going to connect to the imaps (993), pop3s (995) or smtps (465) port, although they're still going to use TLSv1 protocol.
  • TLS (Transport Layer Security) replaced the SSL protocol. TLSv1 protocol is used practically always nowadays. Some clients use TLS to mean that they're going to use STARTTLS command after connecting to the standard imap (143), pop3 (110) or smtp port (25/587). Nothing would prevent using SSLv3 protocol after STARTTLS command.

Originally SSL support was added to protocols by giving them a separate "SSL port" (imaps, pop3s, etc.), where the SSL handshake starts immediately when client connects, and only after the session is encrypted the regular protocol handling begins. Using two separate ports for plaintext and SSL connections was thought to be wasteful, so STARTTLS command was added and intended to deprecate the SSL ports. Clients using STARTTLS work by connecting to the regular unencrypted port and immediately issue a STARTTLS command, after which the session is encrypted. After SSL handshake there is no difference between SSL port initiated connections and STARTTLS initiated connections.

SSL port deprecation never really happened, probably because of a few reasons:

  • Some admins don't even know about STARTTLS.
  • Some admins want to require SSL/TLS, but don't realize that this is also possible with STARTTLS (Dovecot has disable_plaintext_auth=yes and ssl=required settings).

  • Some admins understand everything, but still prefer to allow only SSL ports. This could be because it makes it easier to ensure that no information is leaked, because SSL/TLS handshake happens immediately. Some clients unfortunately try to do plaintext authentication without STARTTLS, even when IMAP server has told the client that it won't work.

Unfortunately there doesn't seem to be any clear and simple way to refer to these different meanings.

SSL term is much more widely understood than TLS, so Dovecot configuration and this documentation only talks about SSL when in fact it means both SSL/TLS.

None: SSL (last edited 2011-08-29 01:27:30 by TimoSirainen)