Re: TLS/SSL future direction

[jsanchez@OpenLDAP.org (Julio Sánchez Fernández)]

Drew Raines <drew@phg.mc.vanderbilt.edu> writes:

> TLS and SSL are always mentioned together even though they're seemingly
> quite different implementations.  What gives?

TLS and SSL are essentially the same, think of TLS as SSL v3++ with a
funny name.

Now, what is misleading many people is mistaking StartTLS for TLS.
There are two mechanisms for doing SSL/TLS:

      - Starting SSL/TLS on a TCP connection and *after* it has been
        setup, start talking some application protocol, LDAP in this
        case.  This will be done usually on a different port from
        that used for the normal protocol.  When only a few protocols
        wanted this it was workable but soon it got out of hand and
        opened the door to the next round of spurious port number
        allocations as soon as someone came with a new invention.

      - Starting an application protocol connection and then, if
        capability negotiation permits it, start a SSL/TLS negotiation
        and then start talking over the newly setup layer thus created
        *on the same connection*. Each protocol does it differently.
        It is STLS for POP3, STARTTLS for SMTP, etc.  And it is the
        extended operation StartTLS for LDAP.  This is the preferred
        mechanism for all new protocols and most protocols are
        migrating to this.

In principle, you can use both SSL and TLS on either scenario. But
many people think SSL is the first method and TLS the second.

It is not so.

Julio