What is UCSPI-TLS?
UCSPI-TLS is a protocol extension to the Unix Client/Server Protocol Interface, or UCSPI, adding "delayed encryption". "Delayed encryption" means a session starts off in plaintext, then a command is issued to turn on encryption, encryption is negotiated, and the session restart. This has become a very common way to handle encryption, because it simplifies client configuration and requires only one TCP port.
Why would I want UCSPI-TLS?
These are the goals of the UCSPI-TLS protocol:
- Simple, UCSPI-compatible use.
- Support for both traditional SSL and delayed encryption through STARTTLS or similar.
- All SSL/TLS code in one place.
- Minimal changes required for each server.
Additionally, a specific goal of this implementation is
- Support for "privilege separation", so that encryption can happen in a low-privilege subprocess.
I believe the privilege separation feature increases your system's security significantly. It creates a dedicated process to handle each encrypted connection, and this process can change its root directory and switch to a low-privilege user and group. Because of its complexity, OpenSSL has had its share of security bugs. Doing encryption in a low-privilege process ensures that the impact of any security bugs is minimized.
How do I use UCSPI-TLS?
All of the UCSPI-TLS implementations here are patches to existing programs.
- This patch to ucspi-ssl (README) implements an UCSPI-\TLS server with SSL privilege seperation for ucspi-ssl.
- This patch to netqmail (README) implements UCSPI-TLS clients for netqmail, adding STARTTLS support to qmail-smtpd and STLS support to qmail-popup.
- This patch to mailfront (README) implements UCSPI-TLS clients for mailfront, adding STARTTLS support to the SMTP and IMAP server, and STLS support to the POP3 server.
For more detailed instructions on using UCSPI-TLS with ucspi-ssl and netqmail, see the UCSPI-TLS on netqmail HOWTO.
There are also other files and versions of the patches.
Who's behind UCSPI-TLS?
Scott Gifford helped design the UCSPI-TLS protocol, and wrote most of the code here. Charlie Brady also helped design the UCSPI-TLS protocol.