Rob Funk <rfunk(_at_)funknet(_dot_)net>:
"Eric S. Raymond" <esr(_at_)thyrsus(_dot_)com> wrote:
I think the two cases are different. The presence of service on the
SSL port is expensive to probe for. Probing for a working STARTTLS, on
the other hand, is cheap -- so fetchmail should automatically try to
get the best possible security.
My thoughts on the whole issue.... which may be somewhat confused, but
that's partly because others here seem to be somewhat confused....
STARTTLS and use of the SSL port should be separate concepts from
authentication -- "auth password" shouldn't affect SSL/TLS at all.
For the most part, TLS should not be considered to be separate from SSL;
TLS v1 is basically SSL v3 with some minor changes and a new name. It
isn't a matter of "SSL is encryption on a separate port, while TLS is
encryption on the same port"; it's just that the STARTTLS concept was
invented after SSL had evolved into TLS.
The only way TLS should be considered separate from SSL is in the context
of acceptable SSL versions, along with whether SSLv2 is allowed. (See the
SSL config section of Mozilla or IE for an example.)
If the server advertises STARTTLS, fetchmail should use it unless
specifically instructed not to, with something like a "nossl" directive --
but not an "auth password" directive.
There should probably be a way to say "use STARTTLS if possible, and don't
ever use a connection that isn't encrypted". If that's added to the
meaning of the "ssl" directive, that would be fine with me.
<a href="http://www.tuxedo.org/~esr/">Eric S. Raymond</a>