SSL/TLS vs StartTLS

Subject: SSL/TLS vs StartTLS
Author: authen
Posted on: 09/11/2015 04:22:19 PM

SSL/TLS -- "plain communication over an encrypted channel"
StartTLS -- "encrypted communication over a plain channel"

SSL/TLS and StartTLS are both based on the same SSL or TLS protocols (SSL has been deprecated due to POODLE vulnerability though). Therefore, SSL/TLs and StartTLS are equally secured.

Difference:

SSL/TLS is listening on a dedicated port, typically 636 for LDAP and 443 for HTTP; StartTLS is listening on a normal port.

SSL/TLS's secure mechanism is initialized BEFORE any real communication happens; StartTLS's secure mechanism is initialized (and then closed) AFTER some real communication happens.

SSL/TLS works for ip address host (like 192.168.1.2) because SSL/TLS is initialized once and on a dedicated port; StartTLS doesn't work because StartTLS further checks the match between the host's name and the certificate's subject each time when StartTLS starts (javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '192.168.1.2' does not match the hostname in the server's certificate).

References:

Next Post: LDAP Parameter & Control OIDs eLDAP 08/17/2017 06:00:32 PM
Previous Post: How to check if the user belongs to a certain group? eLDAP 01/17/2015 03:14:19 AM
Next Topic: LDAP Parameter & Control OIDs eLDAP 08/17/2017 06:00:32 PM
Previous Topic: Special Characters both in DN and Filter eLDAP 01/17/2015 02:37:22 AM
Index: by Date
Index: by Topic