What are the exact protocol level differences between SSL and TLS?
This is a technical deep dive after this overview question was asked.
What are the protocol differences between SSL and TLS?
Is there really enough of a difference to warrant a name change? (versus calling it "SSLv4" or SSLv5 for the newer versions of TLS)
SSLv2 and SSLv3 are completely different (and both are now considered insecure). SSLv3 and TLSv1.0 are very similar, but have a few differences.
You could consider TLSv1.0 as SSLv3.1 (in fact that's what happens within the records exchanged). It's just easier to compare the TLSv1.0 with TLSv1.1 and TLSv1.2 because they've all been edited within IETF and follow more or less the same structure. SSLv3 being edited by a different institution (Netscape), it makes it a bit more difficult to spot the differences.
Here are a few differences, but I doubt I can list them all:
- In the
ClientHello
message (first message sent by the client, to initiate the handshake), the version is{3,0}
for SSLv3,{3,1}
for TLSv1.0 and{3,2}
for TLSv1.1. - The
ClientKeyExchange
differs. - The MAC/HMAC differs (TLS uses HMAC whereas SSL uses an earlier version of HMAC).
- The key derivation differs.
- The client application data can be sent straight after sending the SSL/TLS
Finished
message in SSLv3. In TLSv1, it must wait for the server'sFinished
message. - The list of cipher suites differ (and some of them have been renamed from
SSL_*
toTLS_*
, keeping the same id number). - There are also differences regarding the new re-negotiation extension.
I would strongly recommend Eric Rescorla's book - SSL and TLS: Designing and Building Secure Systems, Addison-Wesley, 2001 ISBN 0-201-61598-3, if you really want more details. I've learnt about some of the points mentioned above from this book. The author occasionally mentions the differences between SSLv3 and TLS (v1.0 only at the time the book was written) when explaining some of the SSL/TLS message, but you do need the background explanation about these messages to have a chance to understand (and it's not appropriate to copy/paste from this book here).
I will just echo the other answers but perhaps with a slightly different emphasis.
There was a secure sockets protocol which was "owned" by Netscape which was called SSL version 2. A new version with a different record structure and security improvements also "owned" by Netscape was released and called SSL version 3. Inside the protocol in several places is a binary version number field. For SSL version 3, this field is set to 0x03 0x00, i.e. version 3.0. Then the IETF decided to create its own standard. Possibly because there were some intellectual property uncertainties about SSL, including whether "SSL" was a Netscape trademark, when the IETF released the next version of this protocol they gave it their own name: Transport Layer Security protocol, or TLS version 1.0. The record format and overall structure is identical and consistent with SSL v3. The binary version number is was revved to 0x03 0x01, and as others have noted there were some minor crypto changes. There has since been TLS version 1.1 and 1.2, for which the internal protocol numbers are 0x03 0x02 and 0x03 0x03.
Ignoring SSLv2, it was basically just a name change along with normal protocol fine-tuning that happens as people get smarter about security and performance.
Fundamentally, it is a nothing but a name change for a newer version of the protocol. I believe the main reason for that was to differentiate it from the older, informal standard mainly designed by Netscape after it became an official IETF standards track protocol.
As was said in the answers to your earlier question, this doesn't mean SSLv3 and TLSv1.0 are compatible. Citing from RFC 2246:
the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 and SSL 3.0 do not interoperate.
I guess if you really want to know the exact differences in the protocols, you must read the standards and compare yourself.
SSLv3 protocol draft from Netscape TLSv1.0 RFC 2246