Ben Laurie <[EMAIL PROTECTED]> writes:
> M wrote:
> >
> > [Perhaps I ought to know this already, but...]
> >
> > RFC 2246 says "The differences between [TLS 1.0] and SSL 3.0 are not dramatic, but
>they are significant enough that TLS 1.0 and SSL 3.0 do not interoperate (although
>TLS 1.0 does incorporate a mechanism by which a TLS implementation can back down to
>SSL 3.0)".
> >
> > To an unpractised eye, not used to the line-by-line collation of long texts, the
>two specifications seem pretty well identical. What *are* the important differences?
>
> The hashes used for secret generation (and perhaps checking message
> content, I forget now) are radically different.
1. As Ben says, the key derivation functions are radically different.
2. The MACs are somewhat different. SSLv3 uses a modification of an
early HMAC. TLS uses HMAC.
3. The Finished messages are different.
4. RSA key exchange in SSLv3 implementations does not comply with the
spec. It's supposed to be an opaque <2^16-1> but actually they
just put bytes directly in the record.
5. TLS has more alerts.
6. TLS requires DSS/DH support.
I think that's it, but there may be some more trivial differences.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
PureTLS - free SSLv3/TLS software for Java
http://www.rtfm.com/puretls/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
