Hi all, Way way back in 2000, Evgeny Stambulchik <[EMAIL PROTECTED]> complained (http://www.washington.edu/imap/listarch/2000/msg01124.html) that UW IMAP was accepting SSL v3 handshaking on the pops and imaps ports, but not via STLS/STARTTLS on the pop and imap ports. He traced this to a line in src/osdep/unix/auth_ssl.c (which is now src/osdep/unix/ssl_unix.c) which rejected any connection other than TLS v1 for STARTTLS connections.
The response from Mark Crispin <[EMAIL PROTECTED]> (http://www.washington.edu/imap/listarch/2000/msg01128.html) was that there wasn't any authoritative mention that the STARTTLS command should accept SSL v3 requests. I respectfully submit that there is authoritative mention of the OPTION to do so, in RFC 2246 "The TLS Protocol Version 1.0", appendix E, which states: <begin quote> E. Backward Compatibility With SSL For historical reasons and in order to avoid a profligate consumption of reserved port numbers, application protocols which are secured by TLS 1.0, SSL 3.0, and SSL 2.0 all frequently share the same connection port: for example, the https protocol (HTTP secured by SSL or TLS) uses port 443 regardless of which security protocol it is using. Thus, some mechanism must be determined to distinguish and negotiate among the various protocols. ..... Similarly, a TLS server which wishes to interoperate with SSL 3.0 clients should accept SSL 3.0 client hello messages and respond with an SSL 3.0 server hello if an SSL 3.0 client hello is received which has a version field of {3, 0}, denoting that this client does not support TLS. <end quote> Granted, the UW IMAP developers may have simply made the decision that STARTTLS shall only support TLS v1, but in this RFC we clearly see that the IETF has already considered cases where TLS servers MAY want to interoperate with SSL 3.0 clients. Thus, the argument that STARTTLS must not accept older SSL connections should probably be relaxed in favor of following the procedure described in RFC 2246 appendix E. Yours, --Rob -- ----------------------------------------------------------------- For information about this mailing list, and its archives, see: http://www.washington.edu/imap/imap-list.html -----------------------------------------------------------------
