[prev in list] [next in list] [prev in thread] [next in thread] 

List:       imap
Subject:    re: STARTTLS/STLS and SSL v3 rejection
From:       Mark Crispin <MRC () CAC ! Washington ! EDU>
Date:       2002-09-25 15:13:00
[Download RAW message or body]

The statement in RFC 2246 is certainly applicable to special SSL ports.  For
example:
   [...] application protocols which are secured by
   TLS 1.0, SSL 3.0, and SSL 2.0 all frequently share the same
   connection port: for example, the https protocol (HTTP secured by SSL
   or TLS) uses port 443 regardless of which security protocol it is
   using.
talks about the https port.  The IMAP equivalent for this is the imaps port
(port 993).

STARTTLS, on the other hand, is done on the imap port (port 143) which is NOT
"the same connection port" referred to above.

RFC 2246 does not claim applicability to STARTTLS functionality in IMAP, POP3,
SMTP, etc.  There are also abundant reasons *NOT* to use the SSLv23 server
method in STARTTLS; the decision was not made capriciously.  Nor was it made
by me alone; our representative in the IETF security groups was adamant about
not doing SSL over STARTTLS.

Let me put it another way: what benefit do you feel is gained by changing
STARTTLS to use the SSLv23 server method?  STARTTLS is in extensive production
use today, so clients are using the correct TLSv1 method.

[prev in list] [next in list] [prev in thread] [next in thread]