STARTTLS

STARTTLS is an extension of the regular text exchange protocol, which allows you to create an encrypted connection ( TLS or SSL ) directly over a regular TCP connection instead of opening a separate port for the encrypted connection.

STARTTLS for IMAP and POP3 is defined in RFC 2595 , for SMTP in RFC 3207 , for FTP in RFC 4217 , for XMPP in RFC 6120 , for LDAP in RFC 2830 and for NNTP in RFC 4642 .

Content

Levels

TLS is an application-independent protocol; in terms of RFC 5246

High-level protocols can be placed on top of the transparent TLS protocol. The TLS standard does not describe how other protocols interact with TLS; it does not describe how to initialize a TLS handshake and how to use authentication certificate exchange. This is done by protocols running on top of TLS. ^[one]

To use TLS, you must use libraries that already have TLS embedded. For example, the RFC 3207 SMTP extension shows in the following protocol description how the client and server start an encrypted session: ^[2]

  S: <waits for connection on TCP port 25>
   C: <opens connection>
   S: 220 mail.example.org ESMTP service ready
   C: HELO client.example.org
   S: 250-mail.example.org offers a warm hug of welcome
   S: 250 STARTTLS
   C: STARTTLS
   S: 220 Go ahead
   C: <starts TLS negotiation>
   C & S: <negotiate a TLS session>
   C & S: <check result of negotiation>
   C: HELO client.example.org ^[3]
   .  .  .

The last HELO command goes through a secure channel. Note that authentication is not required for SMTP, and possible server responses may not be recognized as AUTH PLAIN SMTP extensions, which are not found in plain text exchange.

SSL ports

Before STARTTLS appeared, many TCP ports were assigned for the SSL-encrypted connection of many servers. TLS establishes a secure connection through a communication stream identical to the old, non-encrypted protocol. Since the introduction of a more efficient STARTTLS, it is not recommended to use scarce port numbers, which simplifies the configuration of devices ^[4] . Some examples:

Protocol	Purpose	Normal port	SSL variant	SSL port
HTTP	Web server	80	Https	443
SMTP	Send email	25	SMTPS	465
IMAP	Read email	143	IMAPS	993

Notes

↑ Tim Dierks; Eric Rescorla The Transport Layer Security (TLS) Protocol (unspecified) . RFC Editor (August 2008). Date of treatment October 8, 2009. Archived April 10, 2013.
↑ Paul Hoffman. SMTP Service Extension for Secure SMTP over Transport Layer Security (unspecified) . RFC Editor (February 2002). Date of treatment October 8, 2009. Archived April 10, 2013.
↑ The last line in the example added for clarity. See eg the thread started by Paul Smith. STARTTLS & EHLO (unspecified) . ietf-smtp mailing list . Internet Mail Consortium (January 26, 2009). Date of treatment October 8, 2009. Archived April 10, 2013.
↑ C. Newman. Using TLS with IMAP, POP3 and ACAP (unspecified) . RFC (June 1999). Date of treatment August 27, 2014.

Links

SMTP TLS Tests and Tools (the "Receiver Test" shows dialogs like the one above)

[1] Tim Dierks; Eric Rescorla The Transport Layer Security (TLS) Protocol (unspecified) . RFC Editor (August 2008). Date of treatment October 8, 2009. Archived April 10, 2013.

[2] Paul Hoffman. SMTP Service Extension for Secure SMTP over Transport Layer Security (unspecified) . RFC Editor (February 2002). Date of treatment October 8, 2009. Archived April 10, 2013.

[3] The last line in the example added for clarity. See eg the thread started by Paul Smith. STARTTLS & EHLO (unspecified) . ietf-smtp mailing list . Internet Mail Consortium (January 26, 2009). Date of treatment October 8, 2009. Archived April 10, 2013.

[4] C. Newman. Using TLS with IMAP, POP3 and ACAP (unspecified) . RFC (June 1999). Date of treatment August 27, 2014.