[gnutls-dev] starttls

Nikos Mavroyanopoulos nmav@gnutls.org
Fri Feb 15 19:32:01 2002


On Fri, Feb 15, 2002 at 05:04:20PM +0000, Andrew McDonald wrote:

> > enabled it should connect using TLS and fail (or ask the user
> > to continue), otherwise. If this is the current behaviour
> > then ignore this.
> It's slightly more complicated than that. I'm not too keen on it, but
> it's what the mutt with OpenSSL behaviour is, and I'll probably try to
> change some of it in the future.
> The ssl_starttls setting essentially gives opportunistic encryption -
> if we use imap (port 143) and the server advertises STARTTLS we try to
> do it.
The STARTTLS mechanism is vulnerable to man in the middle attack. It's
easy for somebody to make the client see a different IMAP hello message,
which does not contain the starttls capability. In IMAPS the
obvious attack is to send RSTs and make the client think that there
is no server in this port. 

In the first case (starttls), if the client continues, without tls, and
without asking the actual user, then the user's password is sent in the 
clear. This does not happen in the imaps case, and since these starttls
replaces imaps, these two methods should be equally strong.

> If you work this through you'll realise that it is not possible to make
> sure it uses TLS and use STARTTLS on port 143. :-(
This is true... but if the user has chosen to use starttls, and
starttls is not available, he should be asked if he wishes to continue.

> I think an improved behaviour would be that if imap_force_ssl is set
> with 'imap' as the protocol and ssl_starttls set then it should do
> STARTTLS or fail (or maybe try imaps on port 993).
Yes this is much better.

> > The problem with these proprietary implementations is that we cannot
> > easily check against. 
> Indeed. It appears that he gets a fatal alert and that it is a problem
> with both SSLv3 and TLSv1, but that's as much as I've found out.
An other thing that might help here, is that DHE_RSA works with
any server i've tried, while the most compatibility problems exist in
RSA key exchange. The drawback is that DHE_RSA requires more 
calculations, than plain RSA, thus many servers disable it.


> Andrew
> -- 
> Andrew McDonald
> E-mail: andrew@mcdonald.org.uk
> http://www.mcdonald.org.uk/andrew/



-- 
Nikos Mavroyanopoulos
mailto:nmav@gnutls.org