[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gnutls-dev] netscape enterprise server 3.6

From: Andrew McDonald
Subject: Re: [gnutls-dev] netscape enterprise server 3.6
Date: Fri Feb 15 18:07:02 2002
User-agent: Mutt/1.3.27i

On Fri, Feb 15, 2002 at 05:01:55AM +0200, Nikos Mavroyanopoulos wrote:
> On Thu, Feb 14, 2002 at 08:20:42PM +0000, Andrew McDonald wrote:
> However, I noticed that starttls is not used when the
> server does not advertize it. This is not good. If starttls is
> enabled it should connect using TLS and fail (or ask the user
> to continue), otherwise. If this is the current behaviour
> then ignore this.

It's slightly more complicated than that. I'm not too keen on it, but
it's what the mutt with OpenSSL behaviour is, and I'll probably try to
change some of it in the future.

The ssl_starttls setting essentially gives opportunistic encryption -
if we use imap (port 143) and the server advertises STARTTLS we try to
do it.

If you want to be sure of using TLS/SSL then you can specify imaps
(IMAP over SSL/TLS on port 993). There is also an imap_force_ssl
setting. If you have this set and then specify imap it essentially
changes it to imaps (IMAP over SSL on port 993 unless another port is

If you work this through you'll realise that it is not possible to make
sure it uses TLS and use STARTTLS on port 143. :-(

I think an improved behaviour would be that if imap_force_ssl is set
with 'imap' as the protocol and ssl_starttls set then it should do
STARTTLS or fail (or maybe try imaps on port 993).

> > There is also a report of problems against 'some proprietary program':
> > <>
> > <>
> > He doesn't seem to have filed a bug in the Debian BTS, but I'll see if
> > can find some more details.
> The problem with these proprietary implementations is that we cannot
> easily check against. 

Indeed. It appears that he gets a fatal alert and that it is a problem
with both SSLv3 and TLSv1, but that's as much as I've found out.

Andrew McDonald
E-mail: address@hidden

Attachment: pgpmuuNYDKhSh.pgp
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]