[RHCE] TLS vs. SSL discussion

Mike Broome rhce@trilug.org
Thu, 17 Apr 2003 14:57:33 -0400 

On Thu, Apr 17, 2003 at 02:22:06PM -0400, Jeremy Portzer wrote:
> Here is the RFC that defines TLS:
> http://www.ietf.org/rfc/rfc2246.txt
>=20
> Of particular note is this section:
>=20
>    This document and the TLS protocol itself are based on the SSL 3.0
>    Protocol Specification as published by Netscape. The differences
>    between this protocol and SSL 3.0 are not dramatic, but they are
>    significant enough that TLS 1.0 and SSL 3.0 do not interoperate
>    (although TLS 1.0 does incorporate a mechanism by which a TLS
>    implementation can back down to SSL 3.0). This document is intended
>    primarily for readers who will be implementing the protocol and those
>    doing cryptographic analysis of it. The specification has been
>    written with this in mind, and it is intended to reflect the needs of
>    those two groups. For that reason, many of the algorithm-dependent
>    data structures and rules are included in the body of the text (as
>    opposed to in an appendix), providing easier access to them.
>=20
> In practice TLS almost always operates in that "mechanism by which a TLS
> implementation can back down to SSL 3.0").  That's why the two systems
> (TLS and SSL) are used interchangeably when discussing the services that
> use them, such as smtps, imaps, pop3s, and https.  (HTTPs generally uses
> SSL 3.0 only, and not TLS at all.)

I was going to look this up today, but you beat me to it. :)

So we were both right.  I still disagree with your statement that "TLS
and SSL are the same thing".  From the RFC I see that they are not, and
TLS is, as I suspected, slightly changed from SSL.  (That's what
standards bodies live to do. :)

But that's mostly a semantic distinction since the reality of it is that
the two are fully interoperable and interchangeable when TLS operates
using the "mechanism by which a TLS implementation can back down to SSL
3.0"

Thanks for sending out the info.  I don't think Jason's going to get the
fight he was hoping for.

M.

--=20
Mike Broome
mbroome(at)employees.org