On Wed, Dec 08, 2010 at 11:03:10AM -0500, Zhou, Yan wrote:
> Why is that? Which one should I use: starttls or tls/ssl for secure
> connections?
There are two ways to secure a protocol with SSL/TLS.
- Encapsulate the entire protocol in SSL/TLS. A "secure" port is
known for the SSL-encapsulated protocol, the client connects to
the secure port and immediately begins an SSL handshake, once
that completes, the client can send application protocol messages.
- Extend the application protocol with a "STARTTLS" verb, which
switches the communication channel from plaintext to SSL/TLS.
This runs on the normal application port, and the timing of the
SSL handshake is delayed until the client and server agree at
the application level to perform the necessary handshake.
The two approaches are fundamentally not interoperable, the application
protocol won't tolerate an unanounced CLIENT SSL HELLO and the
encapsulated protocol won't tolerate plaintext application messages.
--
Viktor.
