rsync and SSL
Michael H. Warfield
mhw at wittsend.com
Fri Sep 21 00:19:15 EST 2001
On Thu, Sep 20, 2001 at 01:00:46AM +0000, M. Drew Streib wrote:
> On Thu, Sep 20, 2001 at 10:47:15AM +1000, Cameron Simpson wrote:
> > That way we could do SMTP over SSL etc etc transparently: clients connect,
> > say "SSL", if rejected either fall back or fall out, and if accepted
> > then away we all go.
> > Is there some technical reason for not doing things this way?
> Other than an extra couple tcp transmissions, not too many. It does
> probably break about all existing protocols though, at least as written,
> since the SSL handshake would fall outside of the bounds of the protocol.
> Implementing this on SMTP, for instance, would require more than SMTP,
> but would be SMTP+SSLoption, which _may_ be fully backwards compatible,
> but certainly not "compliant", as it implements non-standard behavior.
> Even if the initial request were inside of the bounds of the protocol,
> as in "Renegotiate: SSL" as an http header, the followup
> handshake and subsequent transmission certainly wouldn't be standard.
Bzzzttt... Wrong answer. Sorry... This already exists for
SMTP and others and is typically referred to as "START TLS"/"STARTTLS"
(TLS is the ietf term for SSL v3) or "escape to TLS" or something similar.
It's standardized. RFC 2487 [SMTP Service Extension for Secure
SMTP over TLS] in the case of SMTP. There are patches for QMail and
Postfix on the net and the lastest sources of sendmail (8.11.x and
8.12.x) include it although it's not built by default.
> This may not bother you from a technical perspective, but might upset
> people that are purists at the wire protocol level. It is something
> that certainly could be debated, either for an individual protocol,
> or across the spectrum. Nothing to stop rsync from implementing something
> like this, since it is sort of in charge of its own protocol development...
Look up the standard for escape to TLS and find your answer there.
RFC 2487 covers SMTP STARTTLS. There are references to a telnet STARTTLS
option in RFC 2400 and RFC 2595 [Using TLS with IMAP, POP3 and ACAP]
covers several other protocols.
> I'd be interested in seeing an IETF proposal for something like this,
> just for public debate.
AFAIK... This is already a done deal. Seems to be pretty well
hashed over in the ietf.
> M. Drew Streib <dtype at dtype.org> | http://dtype.org/
> FSG <dtype at freestandards.org> | Linux International <dtype at li.org>
> freedb <dtype at freedb.org> | SourceForge <dtype at sourceforge.net>
Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
More information about the rsync