This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

SSL vs. TLS support

Posted on 05-09-2016 03:43 PM
jonesfloyd
Staff
Reply posted on --/--/---- --:-- AM

In the Apigee docs, we've sometimes used SSL and TLS interchangeably. For example, on our supported software page (http://docs.apigee.com/api-services/reference/supported-software) we say that 1.0 and 1.2 are supported.

Also, in API proxy configuration, we have elements such as SSLInfo.

Is it technically accurate to say that Edge supports only TLS, not SSL, or is it valid to use the terms interchangeably?

Solved Solved
1 2 385
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

@Floyd Jones ,

According to IETF RFC 2246, TLS 1.0 is "based on the SSL 3.0 Protocol Specification as published by Netscape. The differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 and SSL 3.0 do not interoperate (although TLS 1.0 does incorporate a mechanism by which a TLS implementation can back down to SSL 3.0)." TLS 1.1 ( RFC 4346) and TLS 1.2 ( RFC 5246) are revisions of TLS 1.0.

As far as SSL is concerned, there is no 1.0 or 1.2 release of SSL. SSL 2.0 was released by Netscape via SSL Protocol IETF draft followed by SSL 3.0 via RFC 6101. Both, SSL 2.0 and SSL 3.0 are considered to be insecure (quick web search will reveal the vulnerabilities) and latest versions of major browsers do not support SSL 2.0 and SSL 3.0 (see Wiki page related to TLS/SSL support history of web browsers).

IMHO, the terms TLS and SSL should not be used interchangeably. Support for 1.0, 1.2, etc. should explicitly refer to TLS.

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

@Floyd Jones ,

According to IETF RFC 2246, TLS 1.0 is "based on the SSL 3.0 Protocol Specification as published by Netscape. The differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 and SSL 3.0 do not interoperate (although TLS 1.0 does incorporate a mechanism by which a TLS implementation can back down to SSL 3.0)." TLS 1.1 ( RFC 4346) and TLS 1.2 ( RFC 5246) are revisions of TLS 1.0.

As far as SSL is concerned, there is no 1.0 or 1.2 release of SSL. SSL 2.0 was released by Netscape via SSL Protocol IETF draft followed by SSL 3.0 via RFC 6101. Both, SSL 2.0 and SSL 3.0 are considered to be insecure (quick web search will reveal the vulnerabilities) and latest versions of major browsers do not support SSL 2.0 and SSL 3.0 (see Wiki page related to TLS/SSL support history of web browsers).

IMHO, the terms TLS and SSL should not be used interchangeably. Support for 1.0, 1.2, etc. should explicitly refer to TLS.

Jump to Solution

Posted on --/--/---- --:-- AM
jonesfloyd
Staff
In response to
Reply posted on --/--/---- --:-- AM

Awesome. Thanks for that, Pranav @pparekh. Makes sense. For the SSLInfo configuration you can set in proxies, that's a naming convention that would be too hard to change for backwards compatibility, and you can specify a TLS protocol in a child element. I think I'm set now. Thanks!

Jump to Solution
0 Likes
Top Solution Authors
View all