13

Is TLS the "new" version of SSL? What features does it add, or security issues does it address?

Can anything that supports SSL support TLS? What would be involved in making the switch? Is the switch worth it?

Why is it that emails are sent over "Opportunistic TLS" and VPN's often called SSL VPN? Is there a difference in the technology, perhaps creating room for a "TLS VPN" product line ?

makerofthings7
  • 8,821
  • 28
  • 115
  • 196

4 Answers4

11

TLS and SSL are closely related technologies.

First, email and Opportunistic TLS. ESMTP has the option of performing the actual data transfer portion of the conversation over an encrypted link. This is part of the protocol and has been called TLS for most of its existence. It works roughly like this:

-> EHLO foreignmailer.example.com
<- 250 Howdy, stranger
<- [list of capabilities, of which TLS is listed]
-> [Indicates it wants to start a TLS session]
<- [accepts negotioation]
-> [Mail actions, of which LOGIN might be one]

Once the TLS session has been started, new login methods might be available. This is an example of a protocol that includes Transaction Layer Security in it directly. The certificates used are the same kind of certificates used for SSL over HTTP.

For an example of a service that doesn't include TLS directly, take POP3-over-SSL. In that case, the secure session is negotiated before the actual protocol is negotiated. In essence, POP3 is being encapsulated inside a secure session.

In general, if a service supports SSL it can be extended to support TLS. Whether or not that has been done is up to the maintainers of the service. This does mean that TLS can replace SSL in "SSL VPNs".

SSL VPNs are distinct from their IPSec based cousins in that the secure session is done at a different level. SSL VPNs do their work much the same way that POP3-over-SSL does, in that traffic is encapsulated over an existing TCP connection. IPSec VPNs create an IP-level secure tunnel, where SSL VPNs create a TCP-level secure tunnel. The reason SSL VPNs seem to be taking over is that they're easier to set up and are more tolerant of bad network conditions. SSL VPNs can and do use the TLS protocol for securing the session, though it does depend on the maker of the VPN itself.

As for the exact protocol level differences between SSL and TLS, that I can't get into. TLS as a standard was arrived at later than SSL and therefore includes some of the lessons learned in the early SSL versions. SSLv3 was ratified back in 1996 and TLS1.0 in 1999, and further protocol development appears to be limited to the TLS suite. It has taken a LONG time for SSLv1 and v2 to go away. TLS is the clear successor of the SSL suite.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • When should SSLv3 go away and it be replaced by TLS? Any situations today or in the near future that this would be relevant? – makerofthings7 Sep 03 '10 at 16:06
  • @MakerOfThings7 In terms of browser support, it will go away once 90% of actively browsing users support TLS without failing back to SSLv3. That'll probably happen some time in the next 5-7 years. That may change if an easy to exploit weakness is discovered in SSLv3 that would force a more rapid roll-out. – sysadmin1138 Sep 03 '10 at 16:09
  • 2
    SSL v 3 and TLSv1 were broken in the BEAST attack http://luxsci.com/blog/is-ssltls-really-broken-by-the-beast-attack-what-is-the-real-story-what-should-i-do.html), and SSL v3 again via POODLE (http://arstechnica.com/security/2014/10/ssl-broken-again-in-poodle-attack/) hopefully we can push for TLS 1.2 to be used more frequently – Jim B Oct 23 '14 at 16:21
  • Specs for TLS 1.2 are here http://tools.ietf.org/html/rfc5246 and for 1.3 (currently draft) are here http://www.ietf.org/id/draft-ietf-tls-tls13-02.txt – Jim B Oct 23 '14 at 16:26
5

TLS is essentially an upgrade to SSL. The changes to it are not dramatic, but significant enough to break compatibility with SSL3.0.

The Wikipedia article covers it extensively but in reasonably understandable terms. (I don't mean to RTFM, but I don't want to repeat everything there.)

They are used in similar ways, and is still referred to as SSL. Basically, you choose your encryption scheme to be one or the other.

gWaldo
  • 11,887
  • 8
  • 41
  • 68
  • 5
    +1, The biggest difference is that SSL is implicit encryption, meaning the connection starts with an encryption handshake and doesn't do anything until that's successful. TLS is explicit, the connection starts and at some point the client asks to start encrypting the communication. – Chris S Sep 03 '10 at 15:49
  • 1
    @Chris: Are you sure about that? `openssl` seems to disagree. (Many programs say "TLS" when they mean "STARTTLS".) – user1686 Sep 03 '10 at 16:29
  • @Grawity, I think you're confusing TLS's fallback mode with SSL. Many apps will use a TLS wrapper that recognizes an SSL negotiation and starts the handshake immediately. If an app is running pure TLS (w/o fallback) then it must issue the STARTTLS (or equivalent, it's protocol dependent, though most protocols use that) before the encryption handshake begins. – Chris S Sep 03 '10 at 17:13
  • All of those comments apply to SSL/TLS being used by other protocols. SSLv3 and TLSv1.0 are almost identical with differences only known to the protocol experts. – Nasko Sep 03 '10 at 18:25
  • Also, TLS does not break compatability with SSL, please verify your sources. – Nasko Sep 03 '10 at 18:30
  • @Chris, TLS and SSL are virtually the same thing (except a few extensions, cipher suites, ...). STARTTLS is for upgrades to TLS within the same TCP connection. That's often called "TLS" in contrast to "SSL", but by mistake. Both TLS and SSL can be upgraded from a TCP plain connection by initiating the handshake after having exchanged some plain data. `STARTTLS` is just a way to tell the application protocol that this is going to happen (otherwise the SSL/TLS messages would mean nothing to the application protocol). – Bruno Sep 07 '10 at 18:35
  • (I meant TLS and SSL to be "virtually the same thing" mostly from the usage point of view, some of these small changes create incompatibilities.) – Bruno Sep 07 '10 at 18:43
  • @Bruno, can you provide links to any documentation about what you're describing? I've programmed a number of applications using OpenSSL, and what you're saying is definitely not the way their API works, I'd be interested if I'm missing out on some functionality on account of limiting myself to that API. – Chris S Sep 08 '10 at 02:14
  • I'm fairly sure upgrading a socket could be done with OpenSSL, but haven't tried. It can definitely be done in Java and Python (via its OpenSSL wrapper). This happen for example when you use `CONNECT` on a plain HTTP proxy to connect to an HTTPS server (the proxy just relays the TCP connection after the `CONNECT` command, and the client just upgrades to TLS/SSL on the same connection). An [example here](http://code.google.com/p/python-httpclient/source/browse/trunk/httpclient/httpclient.py?spec=svn8&r=7) (`CONNECT` line 426 and `convert_ssl_sock`). – Bruno Sep 08 '10 at 08:11
  • For the theory, "SSL and TLS: Designing and Building Secure Systems" by E. Rescorla is very good. – Bruno Sep 08 '10 at 08:12
  • There is an example of `STARTTLS` as well in SMTP in [this document](http://sial.org/howto/openssl/tls-name/) mentioned by the OP in [another question](http://stackoverflow.com/questions/3660798/what-happens-on-the-wire-when-a-tls-ldap-or-tls-http-connection-is-set-up): the client is expected to send the SSL/TLS `ClientHello` after receiving `220 2.0.0 Ready to start TLS` from the server (itself sent in response to the `STARTTLS` command). – Bruno Sep 08 '10 at 11:20
3

SSL as already people pointed out is a protocol designed by Netscape in the past. At some point the IETF standards body decided to adopt the SSLv3 protocol as a standard one, so it got change very subtly and it was named TLSv1.0.

So for most people, TLSv1.0 is almost equivalent to SSLv3. The reason people still call the family of protocols SSL is because of historical reasons - everyone is used to the name, so they keep on using it. It is quite possible for the VPN to be using TLS under the cover, but the marketing name still stays as SSL VPN.

Since TLSv1.0, there have been two revisions of the standard and it is now at TLSv1.2, which while still compatible, has some significant changes. Because of the SSL/TLS design, both client and server can negotiate which version of the protocol they want to use, so clients using TLSv1.0 can still talk to servers implementing TLSv1.2 and vice versa.

Considering the interoperability between all the versions of the protocol, there is no "making a switch", since they are the same family. It is a question of "do I need to use newer version?". As with any other area, the answer to this question will depend on whether the current version you are using has any limitations or not. Currently there are no problems with using SSLv3, but the majority of clients and servers out there work with TLSv1.0.

I hope this clarifies the picture a bit. If not, let me know what is still confusing I will try to explain further.

Nasko
  • 727
  • 3
  • 5
0

Is TLS the "new" version of SSL? What features does it add, or security issues does it address?

TLS is T ransport L ayer S ecurity and generally refers to the STARTTLS command in SMTP mail servers. It may or may not use SSL (SEE palm versamal for an example) but in general SSL is the main security system used. TLS has also been used for other purposes (like HTTP ) and the latest RFC spec is at version 1.2

Can anything that supports SSL support TLS? What would be involved in making the switch? Is the switch worth it?

Usually but by anything, with TLS being the consideration, you are referring to mailservers, so specifically mailservers that have an SSL cert can use TLS to transfer mail and recieve mail.

Why is it that emails are sent over "Opportunistic TLS" and VPN's often called SSL VPN? Is there a difference in the technology, perhaps creating room for a "TLS VPN" product line ?

This smells like the marketing meatheads got in the room. "Opportunistic TLS" simply means that if starttls does not return a 220 (Ready to start TLS) go ahead and send the email anyway. Note that TLS is a SENDER option not a reciever option it might be possible with some mail servers to refuse non-TLS mail but that would be the exception not the rule.

TLS also supports mutual authentication and not simply encryption of a connection.

Sending an email over a VPN (whether SSL or another security scheme) simply makes the mailservers security essentially irrelevant, you can use TLS over a VPN (and you can even use TLS as the VPN security scheme) but it doesn't necessarily affect how the mail is transported if only the VPn connection is encrypted between mailservers (so from the source and destination mailservers, they might be transmitting standard cleartext)

Jim B
  • 23,938
  • 4
  • 35
  • 58
  • I beg to differ. TLS does not generally refer to STARTTLS command in SMTP. Any documentation that you read will refer to TLS as the TLS protocol, which is used by SMTP to protect its traffic. Now when it comes to "Opportunistic TLS", then you can involve higher level protocols which have the "opportunity" to use TLS or not. – Nasko Sep 03 '10 at 18:29
  • You are certainly welcome to disagree however if you ask 10 admins what TLS is used for 9 will say email. Even the question presumes emails regarding TLS. I also mention that TLS is used for other things. RFC 2434 defines which ciphers can be negotiated in the serverhello message- it has nothing to do with opportunistic TLS. SMTP doies nto define any encryption. RFC 3207 defines starttls as a server extension – Jim B Sep 04 '10 at 04:21
  • "TLS" only refers to "STARTTLS" incorrectly. STARTTLS is just a keyword to generalize the approach, but it requires integration in the initial protocol. The STARTTLS command looks similar in SMTP and IMAP, but needs to be integrated in the syntax in LDAP; the same mechanism in S-HTTP (not HTTPS) doesn't use that keyword. It's not because mail clients offer a choice between "SSL" and "TLS" to mean a choice between initial and opportunistic SSL/TLS that their use of the name is right. I bet some SMTPS servers support TLSv1 very well, upfront. You might also see some SSLv3 after using STARTTLS. – Bruno Sep 08 '10 at 19:17
  • 1
    That answer is wrong. STARTTLS is a command used in many protocols (e.g., SMTP) to initiate TLS or SSL. Other than that they are irrelevant. – Nikos Jan 07 '13 at 09:03