Ask / Submit

How is StartTLS integrated? [answered]

asked 2014-06-04 16:46:29 +0300

mgbler gravatar image

When creating an email account, one can choose from 3 options: no encryption ;), SSL and TLS. Where is StartTLS? Is it used by default or does it depend on the port i use? How can I assure that encryption is enforced?

edit retag flag offensive reopen delete

The question has been closed for the following reason "the question is answered, an answer was accepted" by mgbler
close date 2014-06-05 01:17:36.297222



I always assumed the TLS option was StartTLS, and the SSL option was SSL/TLS. I may be wrong.

nthn ( 2014-06-04 18:50:20 +0300 )edit

Hmm yeah i found a comment on TMO ( stating this, but no documentation. If TLS includes StartTLS and SSL includes also TLS this is misleading. StartTLS can be misused to degrade the connection and thus undermine encryption efforts (as o2 Telefonicá did in Germany: That' why i just want to know how i can enforce SSL/TLS and block the use of StartTLS.

mgbler ( 2014-06-04 19:33:08 +0300 )edit

2 Answers

Sort by » oldest newest most voted

answered 2014-06-04 20:29:59 +0300

tigeli gravatar image

@nthn is right, TLS is startTLS and SSL is SSL/TLS. I will ask from our developers about dropping the connection if startTLS is filtered out by the server end.

edit flag offensive delete publish link more


Thx a lot for making this clear!

mgbler ( 2014-06-05 01:08:51 +0300 )edit

answered 2014-06-04 21:58:53 +0300

VDVsx gravatar image

@nthn - If the server advertises StartTLS, a encrypted connection is done after the capabilities are listed, if that connection is downgraded in server side it will be dropped in the client side, but if you try to connect to a server not supporting StartTLS while this option is select, it will continue using a plain socket, see code below:

If you want to make sure that encryption is in place, you must select SSL, naming is a bit confusing atm, is like tigeli says above, next update will fix the naming :)

edit flag offensive delete publish link more


Thank you for going into detail and linking the source. A better naming is much appreciated :) ...btw. perhaps it would be nice to have the qwarning (continuing unencrypted) visible as a notification

mgbler ( 2014-06-05 01:16:54 +0300 )edit

Thanks for the explanation!

nthn ( 2014-06-05 01:24:38 +0300 )edit

Question tools



Asked: 2014-06-04 16:46:29 +0300

Seen: 264 times

Last updated: Jun 04 '14