The Service Level Options of the manual includes the following points:
protocol = proto application protocol to negotiate SSL (e.g. starttls or stls) protocol option should not be used with SSL encryption on a separate port. Currently supported protocols: CIFS
Connect
Etc..
However, in the listed protocols supported neither "starttls" or "stls" appears, even though they appear to be options as far as I can see from the above explanation. Am I missing something here, or should they be among those in the list, and can one use this setting:
Protocol=starttls
Also, I don't really understand what this statement is telling me: "protocol option should not be used with SSL encryption on a separate port."
John A. Wallace
From protocol.c in the stunnel source:
static const struct { char *name; struct { PROTOCOL_PHASE type; FUNCTION func; } handlers[2]; } protocols[]={ {"proxy", {{PROTOCOL_PRE_SSL, proxy_server}, {PROTOCOL_PRE_SSL, NULL}}}, {"cifs", {{PROTOCOL_PRE_CONNECT, cifs_server}, {PROTOCOL_PRE_SSL, cifs_client}}}, {"pgsql", {{PROTOCOL_PRE_CONNECT, pgsql_server}, {PROTOCOL_PRE_SSL, pgsql_client}}}, {"smtp", {{PROTOCOL_PRE_SSL, smtp_server}, {PROTOCOL_PRE_SSL, smtp_client}}}, {"pop3", {{PROTOCOL_PRE_SSL, pop3_server}, {PROTOCOL_PRE_SSL, pop3_client}}}, {"imap", {{PROTOCOL_PRE_SSL, imap_server}, {PROTOCOL_PRE_SSL, imap_client}}}, {"nntp", {{PROTOCOL_NONE, NULL}, {PROTOCOL_PRE_SSL, nntp_client}}}, {"connect", {{PROTOCOL_PRE_CONNECT, connect_server}, {PROTOCOL_PRE_SSL, connect_client}}}, {NULL, {{PROTOCOL_NONE, NULL}, {PROTOCOL_NONE, NULL}}} };
*STARTTLS* is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLShttp://en.wikipedia.org/wiki/Transport_Layer_Securityor SSL http://en.wikipedia.org/wiki/Secure_Socket_Layer) connection instead of using a separate port for encrypted communication.
stunnel will use one port to communicate the encrypted information. That's what it is telling you. No need to initiate a separate port when STARTTLS is sent.
On Wed, Dec 5, 2012 at 1:27 PM, John A. Wallace jw72253@verizon.net wrote:
**
The Service Level Options of the manual includes the following points:
*******protocol = proto*
application protocol to negotiate SSL (e.g.***** starttls* or***** stls *)
*****protocol* option should not be used with SSL encryption on a separate port. Currently supported protocols:*CIFS*
*Connect*
*Etc..***
However, in the listed protocols supported neither “starttls” or “stls”appears, even though they appear to be options as far as I can see from the above explanation. Am I missing something here, or should they be among those in the list, and can one use this setting:
Protocol=starttls
Also, I don’t really understand what this statement is telling me: “***** protocol* option should not be used with SSL encryption on a separate port.”
John A. Wallace
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On 2012-12-05 19:27, John A. Wallace wrote:
The Service Level Options of the manualincludesthe following points: *******protocol = proto* application protocol to negotiate SSL (e.g./////starttls/or/////stls/)
You are right. This description my indeed suggest that "starttls" and "stls" are *protocols* rather than features (commands) of supported protocols (e.g. smtp, pop3, imap, etc.) that allow them to negotiate SSL.
I will fix the description.
Mike
-
Brian Wilkins -
John A. Wallace -
Michal Trojnara