Loading ...
Sorry, an error occurred while loading the content.

tls vs ssl

Expand Messages
  • Daniel L. Miller
    OK - I m an idiot. I ll just admit that up front and get it out of the way. Now that that s settled, what is the difference between SSL and TLS in a MUA -
    Message 1 of 13 , Mar 1, 2010
    • 0 Attachment
      OK - I'm an idiot. I'll just admit that up front and get it out of the way.

      Now that that's settled, what is the difference between "SSL" and "TLS"
      in a MUA - particularly Thunderbird - in a Postfix context?

      I would have sworn I used to use Thunderbird with "SSL" specified and
      connected to my Postfix servers fine. Now, I can only connect in "TLS"
      mode. What did I break?

      --
      Daniel
    • Stan Hoeppner
      ... It s unlikely you d forget setting up SSL. You would have likely created a self signed server certificate and would have installed it on all clients
      Message 2 of 13 , Mar 1, 2010
      • 0 Attachment
        Daniel L. Miller put forth on 3/2/2010 1:18 AM:
        > OK - I'm an idiot. I'll just admit that up front and get it out of the
        > way.
        >
        > Now that that's settled, what is the difference between "SSL" and "TLS"
        > in a MUA - particularly Thunderbird - in a Postfix context?
        >
        > I would have sworn I used to use Thunderbird with "SSL" specified and
        > connected to my Postfix servers fine. Now, I can only connect in "TLS"
        > mode. What did I break?

        It's unlikely you'd forget setting up SSL. You would have likely created a
        self signed server certificate and would have installed it on all clients
        connecting to the server, just as must be done with web browsers connecting
        to a secure site for the first time.

        You've likely been using STARTTLS only, which doesn't require a key exchange
        as SSL/TLS does. STARTTLS != TLS.

        --
        Stan
      • Bill Landry
        ... Huh, what? STARTTLS == Start TLS http://en.wikipedia.org/wiki/STARTTLS Bill
        Message 3 of 13 , Mar 2, 2010
        • 0 Attachment
          On 3/1/2010 11:51 PM, Stan Hoeppner wrote:
          > Daniel L. Miller put forth on 3/2/2010 1:18 AM:
          >> OK - I'm an idiot. I'll just admit that up front and get it out of the
          >> way.
          >>
          >> Now that that's settled, what is the difference between "SSL" and "TLS"
          >> in a MUA - particularly Thunderbird - in a Postfix context?
          >>
          >> I would have sworn I used to use Thunderbird with "SSL" specified and
          >> connected to my Postfix servers fine. Now, I can only connect in "TLS"
          >> mode. What did I break?
          >
          > It's unlikely you'd forget setting up SSL. You would have likely created a
          > self signed server certificate and would have installed it on all clients
          > connecting to the server, just as must be done with web browsers connecting
          > to a secure site for the first time.
          >
          > You've likely been using STARTTLS only, which doesn't require a key exchange
          > as SSL/TLS does. STARTTLS != TLS.

          Huh, what? STARTTLS == Start TLS

          http://en.wikipedia.org/wiki/STARTTLS

          Bill
        • Stan Hoeppner
          ... He s talking about Thunderbird Bill. In that context, IIRC, one can check the STARTTLS option box, and if the outgoing SMTP server doesn t support
          Message 4 of 13 , Mar 2, 2010
          • 0 Attachment
            Bill Landry put forth on 3/2/2010 2:01 AM:
            > On 3/1/2010 11:51 PM, Stan Hoeppner wrote:
            >> Daniel L. Miller put forth on 3/2/2010 1:18 AM:
            >>> OK - I'm an idiot. I'll just admit that up front and get it out of the
            >>> way.
            >>>
            >>> Now that that's settled, what is the difference between "SSL" and "TLS"
            >>> in a MUA - particularly Thunderbird - in a Postfix context?
            >>>
            >>> I would have sworn I used to use Thunderbird with "SSL" specified and
            >>> connected to my Postfix servers fine. Now, I can only connect in "TLS"
            >>> mode. What did I break?
            >>
            >> It's unlikely you'd forget setting up SSL. You would have likely
            >> created a
            >> self signed server certificate and would have installed it on all clients
            >> connecting to the server, just as must be done with web browsers
            >> connecting
            >> to a secure site for the first time.
            >>
            >> You've likely been using STARTTLS only, which doesn't require a key
            >> exchange
            >> as SSL/TLS does. STARTTLS != TLS.
            >
            > Huh, what? STARTTLS == Start TLS
            >
            > http://en.wikipedia.org/wiki/STARTTLS

            He's talking about Thunderbird Bill. In that context, IIRC, one can check
            the STARTTLS option box, and if the outgoing SMTP server doesn't support
            STARTTLS, Thunderbird fails gracefully without error and falls back to plain
            text mode. If, on the other hand, one checks SSL/TLS, you don't get the
            graceful failure, but a hard error. This is the context of my STARTTLS !=
            TLS comment. It's been a very long time since I messed with this, probably
            pre 2.0, so my memory could be a little foggy. I would hope the Mozilla
            team would have changed this behavior in recent revs of T-Bird.

            --
            Stan
          • Timo Sirainen
            ... http://wiki.dovecot.org/SSL tries to explain their difference. ... You no longer have smtps port enabled?
            Message 5 of 13 , Mar 2, 2010
            • 0 Attachment
              On 2.3.2010, at 9.18, Daniel L. Miller wrote:

              > OK - I'm an idiot. I'll just admit that up front and get it out of the way.
              >
              > Now that that's settled, what is the difference between "SSL" and "TLS"
              > in a MUA - particularly Thunderbird - in a Postfix context?

              http://wiki.dovecot.org/SSL tries to explain their difference.

              > I would have sworn I used to use Thunderbird with "SSL" specified and
              > connected to my Postfix servers fine. Now, I can only connect in "TLS"
              > mode. What did I break?

              You no longer have smtps port enabled?
            • Jonathan Tripathy
              Here is my 2 pence (Please someone correct me if I m wrong). STARTTLS and TLS do eventually use the TLS protocol (Which I think is just an updated version of
              Message 6 of 13 , Mar 2, 2010
              • 0 Attachment
                RE: tls vs ssl

                Here is my 2 pence (Please someone correct me if I'm wrong).

                STARTTLS and TLS do eventually use the TLS protocol (Which I think is just an updated version of SSL). Different being is that with STARTTLS, the SMTP client (e.g. Thunderbird) will connect to the server unencrypted, then if the smtp server (postfix) announces "STARTTLS", Thunderbird will neogiate a key exchange then continue the rest of the connection encrypted.

                With "normal" TLS, the encrypted connection happens from the start, and both server and client will need keys on each end set up beforehand

                That's my take on it...


                -----Original Message-----
                From: owner-postfix-users@... on behalf of Stan Hoeppner
                Sent: Tue 3/2/2010 07:51
                To: postfix-users@...
                Subject: Re: tls vs ssl

                Daniel L. Miller put forth on 3/2/2010 1:18 AM:

                > OK - I'm an idiot.  I'll just admit that up front and get it out of the
                > way.
                >
                > Now that that's settled, what is the difference between "SSL" and "TLS"
                > in a MUA - particularly Thunderbird - in a Postfix context?
                >
                > I would have sworn I used to use Thunderbird with "SSL" specified and
                > connected to my Postfix servers fine.  Now, I can only connect in "TLS"
                > mode.  What did I break?

                It's unlikely you'd forget setting up SSL.  You would have likely created a
                self signed server certificate and would have installed it on all clients
                connecting to the server, just as must be done with web browsers connecting
                to a secure site for the first time.

                You've likely been using STARTTLS only, which doesn't require a key exchange
                as SSL/TLS does.  STARTTLS != TLS.

                --
                Stan

              • Charles Marcus
                ... ? You sure about that? I use only STARTTLS, and I always have to do the Confirm Security Exception dance to accept the certificate the first time I send
                Message 7 of 13 , Mar 2, 2010
                • 0 Attachment
                  On 2010-03-02 2:51 AM, Stan Hoeppner wrote:
                  > You've likely been using STARTTLS only, which doesn't require a key exchange
                  > as SSL/TLS does.

                  ? You sure about that? I use only STARTTLS, and I always have to do the
                  'Confirm Security Exception' dance to accept the certificate the first
                  time I send a message in Thunderbird...

                  --

                  Best regards,

                  Charles
                • Wietse Venema
                  ... Port 24 and 587: TCP handshake, SMTP handshake, client sends STARTTLS, TLS handshake, SMTP handshake, MAIL transaction, ... Port 465: TCP handshake, TLS
                  Message 8 of 13 , Mar 2, 2010
                  • 0 Attachment
                    Charles Marcus:
                    > On 2010-03-02 2:51 AM, Stan Hoeppner wrote:
                    > > You've likely been using STARTTLS only, which doesn't require a key exchange
                    > > as SSL/TLS does.
                    >
                    > ? You sure about that? I use only STARTTLS, and I always have to do the
                    > 'Confirm Security Exception' dance to accept the certificate the first
                    > time I send a message in Thunderbird...

                    Port 24 and 587:

                    TCP handshake,
                    SMTP handshake, client sends STARTTLS,
                    TLS handshake, SMTP handshake, MAIL transaction, ...

                    Port 465:

                    TCP handshake,
                    TLS handshake, SMTP handshake, MAIL transaction, ...

                    Details are in RFC 3207.

                    Wietse
                  • Daniel L. Miller
                    ... excerpted from master.cf - using non-standard port numbers for internal use and testing: 192.168.0.110:125 inet n - - - -
                    Message 9 of 13 , Mar 2, 2010
                    • 0 Attachment
                      Timo Sirainen wrote:
                      >> I would have sworn I used to use Thunderbird with "SSL" specified and
                      >> connected to my Postfix servers fine. Now, I can only connect in "TLS"
                      >> mode. What did I break?
                      >>
                      >
                      > You no longer have smtps port enabled?
                      >
                      excerpted from master.cf - using non-standard port numbers for internal
                      use and testing:

                      192.168.0.110:125 inet n - - - - smtpd
                      -o syslog_name=frominternet
                      -o smtpd_proxy_filter=
                      -o myhostname=Postfix-ASSP.amfeslan.local

                      connect with Thunderbird to this address & port set to no encryption - works

                      192.168.0.110:126 inet n - - - - smtpd
                      -o smtpd_tls_security_level=may
                      -o smtpd_sasl_auth_enable=yes
                      -o smtpd_client_restrictions=permit_sasl_authenticated,reject

                      connect with Thunderbird to this address & port set to TLS - works. SSL
                      does not.

                      192.168.0.110:127 inet n - - - - smtpd
                      -o smtpd_tls_security_level=encrypt
                      -o smtpd_sasl_auth_enable=yes
                      -o smtpd_client_restrictions=permit_sasl_authenticated,reject

                      connect with Thunderbird to this address & port set to TLS - works. SSL
                      does not.

                      By "SSL does not work" I mean:
                      1. I see a connection in the Postfix log - but nothing further happens.
                      2. Thunderbird works and works at sending ... and then times out with
                      an error - "Sending of message failed".

                      --
                      Daniel
                    • Victor Duchovni
                      ... Why do you expect SMTP after SSL to work on a port that supports SSL after SMTP? http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode -- Viktor.
                      Message 10 of 13 , Mar 2, 2010
                      • 0 Attachment
                        On Tue, Mar 02, 2010 at 11:33:48AM -0800, Daniel L. Miller wrote:

                        > 192.168.0.110:126 inet n - - - - smtpd
                        > -o smtpd_tls_security_level=may
                        > -o smtpd_sasl_auth_enable=yes
                        > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                        >
                        > connect with Thunderbird to this address & port set to TLS - works. SSL
                        > does not.

                        Why do you expect SMTP after SSL to work on a port that supports SSL
                        after SMTP?

                        http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode

                        --
                        Viktor.

                        P.S. Morgan Stanley is looking for a New York City based, Senior Unix
                        system/email administrator to architect and sustain our perimeter email
                        environment. If you are interested, please drop me a note.
                      • Daniel L. Miller
                        ... Ok - inferring from that, I tried: 192.168.0.110:128 inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o
                        Message 11 of 13 , Mar 2, 2010
                        • 0 Attachment
                          Victor Duchovni wrote:
                          > On Tue, Mar 02, 2010 at 11:33:48AM -0800, Daniel L. Miller wrote:
                          >
                          >
                          >> 192.168.0.110:126 inet n - - - - smtpd
                          >> -o smtpd_tls_security_level=may
                          >> -o smtpd_sasl_auth_enable=yes
                          >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                          >>
                          >> connect with Thunderbird to this address & port set to TLS - works. SSL
                          >> does not.
                          >>
                          >
                          > Why do you expect SMTP after SSL to work on a port that supports SSL
                          > after SMTP?
                          >
                          > http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode
                          >
                          Ok - inferring from that, I tried:
                          192.168.0.110:128 inet n - - - - smtpd
                          -o smtpd_tls_wrappermode=yes
                          -o smtpd_sasl_auth_enable=yes
                          -o smtpd_client_restrictions=permit_sasl_authenticated,reject

                          Now connecting from Thunderbird SSL works - TLS does not. Just
                          confirming - is this expected and proper behaviour?

                          --
                          Daniel
                        • Victor Duchovni
                          ... Yes, of course. SSL after SMTP won t work with a service that runs SMTP after SSL. The SMTP inside SSL service and SSL inside SMTP services are not
                          Message 12 of 13 , Mar 2, 2010
                          • 0 Attachment
                            On Tue, Mar 02, 2010 at 12:30:21PM -0800, Daniel L. Miller wrote:

                            > Ok - inferring from that, I tried:
                            > 192.168.0.110:128 inet n - - - - smtpd
                            > -o smtpd_tls_wrappermode=yes
                            > -o smtpd_sasl_auth_enable=yes
                            > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                            >
                            > Now connecting from Thunderbird SSL works - TLS does not. Just confirming
                            > - is this expected and proper behaviour?

                            Yes, of course. SSL after SMTP won't work with a service that runs SMTP
                            after SSL. The "SMTP inside SSL" service and "SSL inside SMTP" services
                            are not inter-operable and cannot be deployed on the same port.

                            The "SMTP over SSL" service (wrappermode=yes) is a legacy non-standard
                            service and should be phased out once all clients support "SSL over SMTP"
                            (aka STARTTLS).

                            --
                            Viktor.

                            P.S. Morgan Stanley is looking for a New York City based, Senior Unix
                            system/email administrator to architect and sustain our perimeter email
                            environment. If you are interested, please drop me a note.
                          • Noel Jones
                            ... Yes, that s expected. SSL wrappermode is incompatible with standard SMTP or STARTTLS. Typically wrappermode is specified only on port 465, which is
                            Message 13 of 13 , Mar 2, 2010
                            • 0 Attachment
                              On 3/2/2010 2:30 PM, Daniel L. Miller wrote:
                              > Victor Duchovni wrote:
                              >> On Tue, Mar 02, 2010 at 11:33:48AM -0800, Daniel L. Miller wrote:
                              >>
                              >>> 192.168.0.110:126 inet n - - - - smtpd
                              >>> -o smtpd_tls_security_level=may
                              >>> -o smtpd_sasl_auth_enable=yes
                              >>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                              >>>
                              >>> connect with Thunderbird to this address & port set to TLS - works.
                              >>> SSL does not.
                              >>
                              >> Why do you expect SMTP after SSL to work on a port that supports SSL
                              >> after SMTP?
                              >>
                              >> http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode
                              > Ok - inferring from that, I tried:
                              > 192.168.0.110:128 inet n - - - - smtpd
                              > -o smtpd_tls_wrappermode=yes
                              > -o smtpd_sasl_auth_enable=yes
                              > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                              >
                              > Now connecting from Thunderbird SSL works - TLS does not. Just
                              > confirming - is this expected and proper behaviour?
                              >

                              Yes, that's expected. SSL wrappermode is incompatible with
                              standard SMTP or STARTTLS.

                              Typically wrappermode is specified only on port 465, which is
                              commonly referred to as the smtps port.

                              -- Noel Jones
                            Your message has been successfully submitted and would be delivered to recipients shortly.