[Date Prev][Date Next]
Re: TLS/SSL future direction
Drew Raines <firstname.lastname@example.org> writes:
> TLS and SSL are always mentioned together even though they're seemingly
> quite different implementations. What gives?
TLS and SSL are essentially the same, think of TLS as SSL v3++ with a
Now, what is misleading many people is mistaking StartTLS for TLS.
There are two mechanisms for doing SSL/TLS:
- Starting SSL/TLS on a TCP connection and *after* it has been
setup, start talking some application protocol, LDAP in this
case. This will be done usually on a different port from
that used for the normal protocol. When only a few protocols
wanted this it was workable but soon it got out of hand and
opened the door to the next round of spurious port number
allocations as soon as someone came with a new invention.
- Starting an application protocol connection and then, if
capability negotiation permits it, start a SSL/TLS negotiation
and then start talking over the newly setup layer thus created
*on the same connection*. Each protocol does it differently.
It is STLS for POP3, STARTTLS for SMTP, etc. And it is the
extended operation StartTLS for LDAP. This is the preferred
mechanism for all new protocols and most protocols are
migrating to this.
In principle, you can use both SSL and TLS on either scenario. But
many people think SSL is the first method and TLS the second.
It is not so.