HTTP servers and TLS/STARTTLS support

Need help installing PHP, configuring a script, or configuring a server? Then come on in and post your questions! We'll try to help the best we can!

Moderator: General Moderators

Post Reply
User avatar
batfastad
Forum Contributor
Posts: 433
Joined: Tue Mar 30, 2004 4:24 am
Location: London, UK

HTTP servers and TLS/STARTTLS support

Post by batfastad »

Hi everyone

On all of the internet-facing services in our organisation, we're now using TLS/STARTTLS on the standard service TCP/IP ports. Rather than dedicated SSL ports.
So for IMAP/SMTP/e-mail submission/FTP our servers accept STARTTLS commands to upgrade the connection to TLS security rather than plaintext.
We're a small outfit so I have complete control/recommendation over the client software so I can make sure it's all compatible. TLS is mandatory for IMAP and FTP connections to our servers.

However the one exception to this is our intranet which runs on Apache (and our webmail interface, which is also Apache).
I've been under the impression that TLS is the present/future version of SSL and removes the requirement of needing to have a dedicated port on the server for SSL encrypted connections because TLS can operate over the normal port without causing any interference/side-effects.
In theory I guess this could also negate the need sites on shared servers to use a separate IP when they need to have an SSL certificate installed... eg: on cPanel/WHM servers.

But I've not found much documentation on using TLS on port 80 instead of the standard port for HTTPS 443.
Obviously to do this you would need to ensure that all HTTP clients that visit your server support the TLS mechanism.

I've found RFC 2817... http://www.faqs.org/rfcs/rfc2817.html
But does anyone know how widely this is supported?
Or how widely this is used in practice?
I've never seen much discussion of this topic really. It seems using STARTTLS is commonplace amongst FTP and e-mail connections but not so much when it comes to HTTP

Cheers, B
Post Reply