Re^2: [Oberon] SSL tunnel; was SMTP/SSH tunnel
W B Hacker
wbh at conducive.org
Sun Apr 1 10:45:07 MEST 2007
peasthope at cablelan.net wrote:
> Bill,
>
> wh> Between two equally-SSL-ignorant entities, yes.
>
> wh> But all MTA's in common use have been SSL/TLS 'aware' for *years*.
>
> wh> Ergo it is seldom needed at *both* ends, ...
>
> Oh! So MTA-through-a-tunnel on one end (Oberon)
> connected to TLS-aware-MTA on the other end (Linux)
> is possible.
Definitely *not* to 'TLS', as it begins life un-encrypted, 'advertises' the
*availability* of encryption (STARTTLS), then negotiates the fine details with
an arrivee that is equipped to a) recognize the advert, b) pick from the menu,
and covey the choice back to the advertising entity, c) 'negotiate' an
encryption scheme and key type/length that both ends can work with.
It allows using a single, designated port for 'all comers', intead of running
plain traffic on one port, and SSL on a separate port.
As said, 'legacy SSL' (TLS is just SSL 3 renamed) has an extensive 'negotiation'
of its own. But not the foreplay TLS wants.
Take any working implementation of SSH, for axample, (Unix, Linux) and use it
with '-V', '-vv', or '-vvv' verbosity flags, and you will see the gruesome details.
But 'legacy' SSL expects each end to *already* be in 'SSL' mode. IOW - skips
the first steps. And TLS won't do that. Wants foreplay as well as condom.
Exim's 'tls_on_connect_ports' just means skip the foreplay, this one's ready to
play, or 'use legacy SSL'.
Which is what stunnel and friends are all about.
> Now I understand much more of previous
> discussions.
>
> wh> In Peter Rabbit English..
>
> Just what is needed sometimes.
Payboy Bunny English added to make it yet more clear....
;-)
>
> wh> HTH,
>
> Certainly. Thanks! ... Peter E.
>
BTW - skipping the prelims also means fewer useless bot-probes wasting
bandwidth. Most drop off the teat sooner when they encounter SSL, as there is no
point in trying to negotiate a non-encrypted session.
> Desktops.OpenDoc http://carnot.pathology.ubc.ca/
>
> --
> Oberon at lists.inf.ethz.ch mailing list for ETH Oberon and related systems
> https://lists.inf.ethz.ch/mailman/listinfo/oberon
>
More information about the Oberon
mailing list