Hi, is there any way to tell the difference between normal ssl packet and ssl mail packet? asked 21 Sep '11, 15:44  timho1985 |
2 Answers:
If by "ssl mail" you mean SMTP-over-TLS or POP-over-TLS or something such as that, then an "ssl mail packet" IS a normal SSL/TLS packet; there's nothing about HTTP-over-TLS that makes it more "normal" than anything else over SSL/TLS. answered 22 Sep '11, 15:18  Guy Harris ♦♦ Thank you. I was looking for a pattern to distinguish the packet of POP-over-TLS and HTTP-over-TLS . I guess there isn't then. (22 Oct '11, 19:25) timho1985 |
Under normal circumstances, HTTP-over-SSL will use tcp port 443 and POP-over-TLS will use tcp port 995. Of course people can use different ports in which case the ports will not give away it's upper layer protocol (even on the default ports, people can use another protocol, for example use HTTP-over-SSL on port 995). One other thing that might help you is to look at the CommonName in the Certificate (look for the Certificate PDU and expand it), this usually has the fully qualified domain name in it. So if it has something like www.example.com, you might assume it's HTTP-over-SSL and if it is pop.example.com, you might assume it is POP-over-TLS. Of course, this can also be forged to be misleading. answered 08 Nov '11, 00:56  SYN-bit ♦♦ |
What's 'ssl mail' ?