当设置TLS / LDAP或TLS / HTTP连接时，线路上会发生什么？ [英] What happens on the wire when a TLS / LDAP or TLS / HTTP connection is set up?

问题描述

我正在改写我的问题，希望我能得到更好的回应。我在 serverfault此处提出了类似的问题。和认为一个正确有效的TLS服务器是一个期望STARTTLS命令的服务器。

是否可以将STARTTLS发送到正确配置的LDAP或HTTP TLS服务器，而不需要额外的端口？我知道这是从SMTP的角度来看，但不知道我可以将这些经验应用到其他协议。

我花了时间阅读未完全掌握）

• TLS规范


• TLS之间的差异和SSL


• SSL规格

问： TLS上的LDAP或HTTP会话是否设置？因为这是基于TCP的，我可以简单地telnet到那个端口，并发出一些命令来验证它的工作（到那一点）。

解决方案

p> SSL和TLS在使用它们的方式上几乎没有什么区别。然而，在前台建立SSL / TLS和使用诸如 STARTTLS 的命令之间存在根本区别。有时，与SSL相比，使用TLS表示使用STARTTLS模式，但这是不正确的。

h2>

在这种情况下，客户端在任何其他事情之前启动TLS / SSL连接，因此首先发生SSL / TLS握手。一旦安全套接字启动，使用它的应用程序可以开始发送TLS上的协议的各种命令（例如HTTP，此模式下的LDAP，SMTP）。

此模式下，SSL / TLS版本必须在与其简单对应端口不同的端口上运行，例如：端口443上的HTTPS，端口636上的LDAPS，端口993上的IMAPS，而不是80,389,143。 >

实现这些应用协议的层几乎不需要知道它们在TLS / SSL上运行。有时，它们只是在工具（如 sslwrap ）中传递。

STARTTLS（或同等）后的TLS

TLS规范允许在任何时候发生握手，包括在同一TCP连接上在纯TCP中交换了一些数据之后。

一些协议，包括LDAP，包含一个命令告诉应用程序协议将有一个升级。基本上，LDAP通信的第一部分以纯文本形式发送，然后发送一个 STARTTLS 消息（仍然是纯文本），这表示当前的TCP连接将被重用但下一个命令将包裹在TLS / SSL层中。在这个阶段，TLS / SSL握手发生，通信被升级为TLS / SSL。只有在此之后，通过TLS / SSL保护通信，并且客户端和服务器知道他们必须从TLS层包装/解开它们的命令（通常在TCP层和应用层之间添加TLS库） p>

每个协议中如何实现 STARTTLS 的细节取决于协议（因为这必须与协议使用它在一定程度上）。

即使HTTP有一个变体使用这种机制，虽然它大部分从来不支持： RFC 2817在HTTP / 1.1中升级到TLS 。这与HTTPS工作方式（ RFC 2818 ）完全不同，后者首先启动TLS / SSL 。

STARTTLS 方法的优点是，您可以在同一端口上运行安全变量和纯变量，

（ EDIT ：我删除了一个）

（ EDIT ：我还在SSL中加入了更多关于SSL的问题， a href =http://serverfault.com/questions/178561/what-are-the-exact-protocol-level-differences-between-ssl-and-tls/179139#179139>在ServerFault上的此回答。）

I'm rewording my question so hopefully I can get a better response. I asked a similar question on serverfault here, and think that a proper and valid TLS server is one that expects the "STARTTLS" command.

Is it true that STARTTLS can be issued to a properly configured LDAP or HTTP TLS server without needing an extra port? I know that this is true from an SMTP perspective, but aren't sure how broadly I can apply those experiences to other protocols.

I've spent time reading (but not fully grasping)

• The TLS Spec
• Differences between TLS and SSL
• The SSL Spec

Q: What happens on the wire right before the TLS over LDAP or HTTP session is set up? Since this is TCP based can I simply telnet to that port and issue some command to verify it's working (up to that point)?

解决方案

There are very few differences between SSL and TLS in the way they are used. There is, however, a fundamental difference between up-front establishment of SSL/TLS and the use of a command such as STARTTLS. Sometimes, "TLS" is used in contrast to "SSL", to mean "using a STARTTLS mode" but this is incorrect.

Up-front TLS/SSL

In this case, the client initiates the TLS/SSL connection before anything else, so SSL/TLS handshake happens first. Once the secure socket is up, the application using it can start sending the various commands for the protocol above TLS (e.g. HTTP, LDAP in this mode, SMTP).

In this mode, the SSL/TLS versions have to run on a different port from their plain counterparts, for example: HTTPS on port 443, LDAPS on port 636, IMAPS on port 993, instead of 80, 389, 143 respectively.

The layers implementing these application protocols barely need to know they're running on top of TLS/SSL. Sometimes, they're simply tunneled in tools such as sslwrap.

TLS after STARTTLS (or equivalent)

The TLS specification allows for the handshake to happen at any time, including after having exchanged some data in plain TCP over the same TCP connection.

Some protocols, including LDAP, incorporate a command to tell the application protocol there will be an upgrade. Essentially, the first part of the LDAP communication happens in plain text, then a STARTTLS message is sent (still in plain text), which indicates that the current TCP connection will be reused but that the next commands will be wrapped within a TLS/SSL layer. At this stage, the TLS/SSL handshake happens and the communication is "upgraded" to TLS/SSL. Only after this the communication is secured via TLS/SSL, and both the client and servers know that they have to wrap/unwrap their commands from the TLS layer (typically adding a TLS library between the TCP layer and the application layer).

The details of how STARTTLS is implemented within each protocol vary depending on the protocol (because this has to be compatible with the protocol using it to some extent).

Even HTTP has a variant using this mechanism, although it's mostly never supported: RFC 2817 Upgrading to TLS Within HTTP/1.1. This is completely different from the way HTTPS works (RFC 2818), which initiates TLS/SSL first.

The advantages of the STARTTLS approach is that you can run both secured and plain variants on the same port, the disadvantages are the consequences of that, in particular potential downgrade attacks or possible mistakes in the configuration.

(EDIT: I've removed an incorrect sentence, as @GregS pointed out, thanks.)

(EDIT: I've also put more on SSL vs. TLS in this answer on ServerFault.)

这篇关于当设置TLS / LDAP或TLS / HTTP连接时，线路上会发生什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！