What is UCSPI-TLS?
UCSPI-TLS is a protocol extension to the
Unix Client/Server Protocol Interface, or UCSPI, adding "delayed
encryption". "Delayed encryption" means a session starts off in
plaintext, then a command is issued to turn on encryption, encryption
is negotiated, and the session restart. This has become a very common
way to handle encryption, because it simplifies client configuration
and requires only one TCP port.
Why would I want UCSPI-TLS?
These are the goals of the UCSPI-TLS protocol:
- Simple, UCSPI-compatible use.
- Support for both traditional SSL and delayed encryption through
STARTTLS or similar.
- All SSL/TLS code in one place.
- Minimal changes required for each server.
Additionally, a specific goal of this implementation is
- Support for "privilege separation", so that encryption can happen
in a low-privilege subprocess.
I believe the privilege separation feature increases your system's
security significantly. It creates a dedicated process to handle each
encrypted connection, and this process can change its root directory
and switch to a low-privilege user and group. Because of its
complexity, OpenSSL has had its share of security bugs. Doing
encryption in a low-privilege process ensures that the impact of any
security bugs is minimized.
How do I use UCSPI-TLS?
All of the UCSPI-TLS implementations here are patches to existing
programs.
For more detailed instructions on using UCSPI-TLS with ucspi-ssl
and netqmail, see the UCSPI-TLS
on netqmail HOWTO.
There are also other files and versions of the
patches.
Who's behind UCSPI-TLS?
Scott Gifford helped
design the UCSPI-TLS protocol, and wrote most of the code here.
Charlie Brady also helped design the UCSPI-TLS protocol.
Hey, neat! What else is here?