Re^2: [Oberon] SSL tunnel; was SMTP/SSH tunnel

W B Hacker wbh at conducive.org
Sun Apr 1 10:45:07 MEST 2007 

peasthope at cablelan.net wrote:
> Bill,
> 
> wh> Between two equally-SSL-ignorant entities, yes.
> 
> wh> But all MTA's in common use have been SSL/TLS 'aware' for *years*.
> 
> wh> Ergo it is seldom needed at *both* ends, ...
> 
> Oh!  So MTA-through-a-tunnel on one end (Oberon)  
> connected to TLS-aware-MTA on the other end (Linux) 
> is possible. 

Definitely *not* to 'TLS', as it begins life un-encrypted, 'advertises' the 
*availability* of encryption (STARTTLS), then negotiates the fine details with 
an arrivee that is equipped to a) recognize the advert, b) pick from the menu, 
and covey the choice back to the advertising entity, c) 'negotiate' an 
encryption scheme and key type/length that both ends can work with.

It allows using a single, designated port for 'all comers', intead of running 
plain traffic on one port, and SSL on a separate port.

As said, 'legacy SSL' (TLS is just SSL 3 renamed) has an extensive 'negotiation' 
of its own. But not the foreplay TLS wants.

Take any working implementation of SSH, for axample, (Unix, Linux) and use it 
with '-V', '-vv', or  '-vvv' verbosity flags, and you will see the gruesome details.

But 'legacy' SSL expects each end to *already* be in 'SSL' mode.  IOW - skips 
the first steps.  And TLS won't do that. Wants foreplay as well as condom.

Exim's 'tls_on_connect_ports' just means skip the foreplay, this one's ready to 
play, or 'use legacy SSL'.

Which is what stunnel and friends are all about.

 > Now I understand much more of previous
> discussions.
> 
> wh> In Peter Rabbit English..
> 
> Just what is needed sometimes.

Payboy Bunny English added to make it yet more clear....

;-)

> 
> wh> HTH,
> 
> Certainly.  Thanks!               ... Peter E.
> 

BTW - skipping the prelims also means fewer useless bot-probes wasting 
bandwidth. Most drop off the teat sooner when they encounter SSL, as there is no 
point in trying to negotiate a non-encrypted session.


> Desktops.OpenDoc  http://carnot.pathology.ubc.ca/
> 
> --
> Oberon at lists.inf.ethz.ch mailing list for ETH Oberon and related systems
> https://lists.inf.ethz.ch/mailman/listinfo/oberon
>

More information about the Oberon mailing list