What is TLS and how does it compare to SSL?

ssl ssl-certificate vpn tls

Solution 1:

TLS and SSL are closely related technologies.

First, email and Opportunistic TLS. ESMTP has the option of performing the actual data transfer portion of the conversation over an encrypted link. This is part of the protocol and has been called TLS for most of its existence. It works roughly like this:

-> EHLO foreignmailer.example.com
<- 250 Howdy, stranger
<- [list of capabilities, of which TLS is listed]
-> [Indicates it wants to start a TLS session]
<- [accepts negotioation]
-> [Mail actions, of which LOGIN might be one]

Once the TLS session has been started, new login methods might be available. This is an example of a protocol that includes Transaction Layer Security in it directly. The certificates used are the same kind of certificates used for SSL over HTTP.

For an example of a service that doesn't include TLS directly, take POP3-over-SSL. In that case, the secure session is negotiated before the actual protocol is negotiated. In essence, POP3 is being encapsulated inside a secure session.

In general, if a service supports SSL it can be extended to support TLS. Whether or not that has been done is up to the maintainers of the service. This does mean that TLS can replace SSL in "SSL VPNs".

SSL VPNs are distinct from their IPSec based cousins in that the secure session is done at a different level. SSL VPNs do their work much the same way that POP3-over-SSL does, in that traffic is encapsulated over an existing TCP connection. IPSec VPNs create an IP-level secure tunnel, where SSL VPNs create a TCP-level secure tunnel. The reason SSL VPNs seem to be taking over is that they're easier to set up and are more tolerant of bad network conditions. SSL VPNs can and do use the TLS protocol for securing the session, though it does depend on the maker of the VPN itself.

As for the exact protocol level differences between SSL and TLS, that I can't get into. TLS as a standard was arrived at later than SSL and therefore includes some of the lessons learned in the early SSL versions. SSLv3 was ratified back in 1996 and TLS1.0 in 1999, and further protocol development appears to be limited to the TLS suite. It has taken a LONG time for SSLv1 and v2 to go away. TLS is the clear successor of the SSL suite.

Solution 2:

TLS is essentially an upgrade to SSL. The changes to it are not dramatic, but significant enough to break compatibility with SSL3.0.

The Wikipedia article covers it extensively but in reasonably understandable terms. (I don't mean to RTFM, but I don't want to repeat everything there.)

They are used in similar ways, and is still referred to as SSL. Basically, you choose your encryption scheme to be one or the other.

Related

HSTS on Amazon CloudFront from S3 origin
What exactly is the MTU/MRU issue, what it is caused by and how to fix it?
In-place upgrade from Windows Server Standard to Enterprise or Datacenter
No IPv6 connectivity from docker container
Would rebooting the server in a schedule be good idea for performance?
How to get a core dump from apache when segfaulting
How do I find all files and directories writable by a specific user?
HAProxy - how to append client ip in X-Client-IP and X-Forwarded-For headers?
When is RAID worth the trouble?
how to trigger jenkins job via curl command remotely
AWS Fargate service: scale to zero?
is ksplice production ready?