CertiGuide to Security+  9  Chapter 2:  Communication Security (Domain 2.0; 20%)       9  2.3  The Web            9  2.3.1  SSL/TLS (Secure Sockets Layer / Transport Layer Security)

Secure Sockets Layer (SSL) 1 2.3.2  HTTP/S

TLS, or Transport Layer Security, is a transport layer protocol based on SSL and is considered to be a more flexible successor to it. Although TLS isn’t compatible with SSL v3.0, it is very similar, and the TLS protocol does contain provisions for a TLS connection to back down to SSL v3.0 functionality if required. Like SSL, it supports a wide variety of encryption options, and can use digital certificates for authentication. Unlike SSL, it is application-independent, and can be used to provide a secure channel for protocols other than HTTP, such as SMTP.

When a connection is made, the TLS Record Protocol first calls the TLS Handshake Protocol, which enables both sides of a communication to authenticate themselves to each other (if desired – this step is currently optional) via X.509 public-key certificates, negotiate an (optional) encryption algorithm supported by both sides, and exchange key information. After that, the TLS Record Protocol uses the agreed upon encryption algorithm for data exchange, and the agreed upon hashing algorithm to ensure that the message was not altered during transport. The OpenSSL Project includes an implementation of TLS in addition to SSL.

Implementations of SMTP, IMAP and POP3 have all been layered over TLS. Each of these, because of the encryption and additional authentication by TLS, has been assigned a new port number for incoming communication, so that clients contact one server for unencrypted communication, and another for encrypted communication.

If you’re planning to allow connections to any of these through your firewall, be sure that the appropriate destination port number is open. A NetworkWorldFusion article has the scoop (as of 1999) as to what port numbers are used for which services.¹⁹⁶

Secure Sockets Layer (SSL) 1 2.3.2  HTTP/S