https://www.fastmail.fm/help/technology_ssl_vs_tls_starttls.html
SSL vs TLS vs STARTTLS
There's often quite a bit of confusion about the different terms SSL vs TLS vs STARTTLS.
- SSL and TLS both provide a way to encrypt a communication channel between two computers (e.g. your computer and our server). TLS is the successor to SSL and the terms SSL and TLS are used interchangeably unless you're referring to a specific version of the protocol.
- STARTTLS is a way to take an existing insecure connection, and upgrade it to a secure connection using SSL/TLS. Note that despite having TLS in the name, STARTTLS doesn't mean you have to use TLS, you can use SSL.
Version numbering is inconsistent between SSL and TLS versions. When TLS took over SSL as the preferred protocol name, it began a new version number, and also began using sub-versions. So the ordering of protocols in terms of oldest to newest is: SSLv2, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2.
When you connect to an SSL/TLS encrypted port, or use STARTTLS to upgrade an existing connection, both sides will negotiate which protocol and which version to use based on what has been configured in the software and what each side supports.
Support for SSL/TLS is virtually universal these days, however which versions are supported is variable. Pretty much everything supports SSLv3 (except a few very old Palm Treo devices as we discovered). Most things support TLSv1.0. As at May 2012, support for TLSv1.1 and TLSv1.2 is more limited.
One significant complicating factor is that some email software incorrectly uses the term TLS when they should have used STARTTLS. Older versions of Thunderbird in particular used "TLS" to mean "enforce use of STARTTLS to upgrade the connection, and fail if STARTTLS is not supported" and "TLS, if available" to mean "use STARTTLS to upgrade the connection if the server advertises support for it, otherwise just use an insecure connection".
The above is particularly problematic when combined with having to configure a port number for each protocol.
To add security to some existing protocols (eg IMAP, POP, etc), it was decided to just add SSL/TLS encryption as a layer underneath the existing protocol. However to distinguish that software should talk the SSL/TLS encrypted version of the protocol rather than the plaintext one, a different port number was used for each protocol. So you have:
- IMAP uses port 143, but SSL/TLS encrypted IMAP uses port 993
- POP uses port 110, but SSL/TLS encrypted POP uses port 995
- SMTP uses port 25, but SSL/TLS encrypted SMTP uses port 465
At some point, it was decided that having 2 ports for every protocol was wasteful, and instead you should have 1 port that starts off as plaintext, but the client can upgrade the connection to an SSL/TLS encrypted one. This is what STARTTLS was created to do.
There were a few problems with this though. There was already existing software that used the alternate port numbers with pure SSL/TLS connections. Client software can be very long lived, so you can't just disable the encrypted ports until all software has been upgraded.
Mechanisms were added to each protocol to tell clients that the plaintext protocol supported upgrading to SSL/TLS (e.g. STARTTLS), and that they should not attempt to login without doing the STARTTLS upgrade. This created two unfortunate situations:
- Some software just ignored the "login disabled until upgraded" announcement and just tried to log in anyway, sending the user login name and password over plaintext. Even if the server then rejected the login, the details had already been sent over the Internet in plaintext.
- Other software saw the "login disabled until upgraded" announcement, but then wouldn't upgrade the connection automatically, and thus reported login errors back to the user, which caused confusion about what was wrong.
Both of these problems resulted in significant compatibility issues with existing clients, and so most system administrators continued to just use plaintext connections on one port number, and encrypted connections on a separate port number.
This has now basically become the defacto standard that everyone uses. IMAP SSL/TLS encrypted over port 993 or POP SSL/TLS encrypted over port 995. Many sites are now disabling plain IMAP (port 143) and plain POP (port 110) altogether so people must use a SSL/TLS encrypted connection. By disabling ports 143 and 110, this removes completely STARTTLS as even an option for IMAP/POP connections.
The one real exception to the above is SMTP. However that's for a different reason again. Most email software used SMTP on port 25 to submit messages to the email server for onward transmission to the destination. However SMTP was originally designed for transfer, not submission. So yet another port (587) was defined for message submission. Although port 587 doesn't mandate requiring STARTTLS, the use of port 587 became popular around the same time as the realisation that SSL/TLS encryption of communications between clients and servers was an important security and privacy issue.
The result is that in most cases, systems that offer message submission over port 587 require clients to use STARTLS to upgrade the connection and also require a login to authenticate. There has been an added benefit to this approach as well. By moving users away from using port 25 for email submission, ISPs are now able to block outgoing port 25 connections from users' computers, which were a significant source of spam due to user computers that were infected with spam sending viruses.
Currently, things seem relatively randomly split between people using SMTP SSL/TLS encrypted over port 465, or people using SMTP with STARTTLS upgrading over port 587.
根据这篇文章的说明starttls最开始是以纯文本协议来进行连接和协商的,作为客户端的一方会询问服务器端是否支持ssl/tls加密,如果服务器端回答支持,那么客户端就开始以ssl/tls的方式发送数据,如果服务器端不支持,那么还用原来的方式来发送数据。
不过遇到过这样一个问题,采用普通的smtp发送邮件时是OK的,在增加了支持starttls的声明后,却无法发送了,在用telnet命令测试服务器端是否支持starttls时,服务器端返回了 starttls ready,说明服务器端应该是支持starttls的,即便不支持,按理也应该能够支持普通的方式发送邮件才对,可确实发送失败了,目前还找不到原因。
相应的邮件发送代码如下:
相关推荐
.net 中为 SSL/TLS 安全通道建立信任关系 在 .NET 中,建立 SSL/TLS 安全通道时,需要建立信任关系,以确保数据的安全传输。在本文中,我们将讨论如何在 .NET 中建立 SSL/TLS 安全通道的信任关系,并解决常见的调试...
【解决漏洞-亲测好用】SSLTLS 服务器瞬时 Diffie-Hellman 公共密钥过弱
Scapy-ssl_tls是Python中一个强大的工具,用于解析、构造和操纵网络协议的数据包,特别是在处理SSL/TLS加密通信时。这个库扩展了著名的Scapy框架,使其能够解码和构建SSL/TLS协议的数据包,这对于网络安全分析、渗透...
根据提供的文件信息,我们可以深入探讨以下几个关键的知识点:SSL/TLS协议的作用与实施、加密技术在SSL/TLS中的应用以及公钥基础设施(PKI)如何支撑整个安全通信过程。 ### 1. SSL/TLS协议的基本概念及作用 **SSL...
标题中的“邮箱 email 支持 qq邮箱 ssl tls 国外大神的作品”表明这是一个关于电子邮件系统,特别是关于QQ邮箱的SSL和TLS加密技术的应用。国外开发者创建了一个可能的C++库或工具,允许用户通过SSL和TLS协议与QQ邮箱...
### 基于流谱理论的SSL/TLS协议攻击检测方法 #### 1. 引言 随着互联网技术的发展和普及,网络安全问题日益受到关注。其中,安全套接层/安全传输层(SSL/TLS)协议是保障互联网数据传输安全的重要机制之一。然而,...
### SSL与TLS理论与实践 #### 一、引言 《SSL与TLS理论与实践》是一本关于安全套接层(Secure Sockets Layer, SSL)和传输层安全(Transport Layer Security, TLS)协议的专业书籍。本书第二版由Rolf Oppliger撰写...
Java 实现 SSL/TLS SSL(Secure Sockets Layer)和其后续版本 TLS(Transport Layer Security)是网络安全协议,用于在互联网上提供加密通信和身份验证。这个文档旨在为使用 Java 实现 SSL/TLS 提供一个简明易懂的...
TLS(Transport Layer Security)是IETF的TLS工作组在SSL3.0基础之上提出的安全通信标准,目前版本是1.0, 即RFC2246.SSL/TLS提供的安全机制可以保证应用层数据在互联网络传输不被监听,伪造和窜改. openssl...
**基于SSL/TLS协议的FTP客户端和服务器端** 在当今的网络环境中,数据安全尤为重要,尤其是在文件传输过程中。FTP(File Transfer Protocol)虽然方便,但其明文传输的特性使得数据容易被窃取或篡改。为了解决这个...
《Bulletproof SSL and TLS》是一本深入介绍SSL和TLS协议以及公钥基础设施(PKI)来确保服务器和Web应用程序安全的权威指南。作者Ivan Ristić是SSL实验室的创始人,以及SSL/TLS和PKI领域的知名专家。这本书自2014年...
MySQL作为广泛使用的数据库管理系统,提供了SSL/TLS支持来增强数据传输过程中的安全性。通过配置SSL/TLS选项,可以确保客户端与服务器之间的通信加密,从而保护敏感数据免受中间人攻击。本文将详细介绍如何在MySQL中...
SSL and TLS Theory and Practice(2nd) 英文无水印原版pdf 第2版 pdf所有页面使用FoxitReader、PDF-XChangeViewer、SumatraPDF和Firefox测试都可以打开 本资源转载自网络,如有侵权,请联系上传者或csdn删除 ...
### SSL与TLS基础知识:保障网络的安全 #### 一、引言 随着互联网技术的发展和普及,数据传输安全问题变得越来越重要。SSL(Secure Sockets Layer)与TLS(Transport Layer Security)作为两种重要的加密协议,被...
《XEP-0035 SSL TLS Integration:安全通信的基础》 在当今的网络环境中,数据安全至关重要。XEP-0035是Extensible Messaging and Presence Protocol (XMPP)扩展协议之一,它关注的是如何在XMPP服务器之间以及...
SSL/TLS(安全套接层/传输层安全)协议是互联网上广泛使用的安全通信协议,用于在客户端(如浏览器)和服务器之间建立安全、私密的连接,保护数据免受窃听和篡改。RFC5246文档是SSL/TLS协议的最新版本,正式名为...
SSL 和 TLS 的区别 SSL(Secure Sockets Layer)和 TLS(Transport Layer Security)是两种常用的网络安全协议,用于保护网络通信的安全性。下面是它们的区别: 1. 历史背景:SSL 是 Netscape 公司在 1994 年开发...
在本文中,我们将深入探讨如何使用 Netty 实现 SSL/TLS(Secure Sockets Layer/Transport Layer Security)双向加密认证。SSL/TLS 是互联网上广泛采用的安全通信协议,确保数据在网络传输过程中保持私密性和完整性。...
**标签理解:** "_tls_protocol"、"tls"、"ssl"、"ssl/tls" 和 "tls__pdf" 这些标签强调了文档的主题,包括TLS协议、SSL协议以及它们的结合使用,同时也说明了文档的类型是PDF。 **压缩包子文件的文件名称列表:** ...