SSL and TLS

6 April 2021

The Transport Layer Security protocol makes it possible to communicate securely over a network. Without TLS, sensitive data such as login credentials are transmitted in plain text.

The protocol secures communication channels in three ways:

• Data transferred to and from a client and server is encrypted.
• The identity of the parties exchanging data is authenticated.
• The data that is transmitted is verified to make sure it hasn’t been tampered with.

SSL vs TLS

The terms SSL and TLS are used interchangeably but they are different protocols. The SSL protocol is deprecated and no longer used, and TLS is the successor of SSL. The name SSL has stuck, but when people talk about SSL they typically refer to TLS. An SSL certificate, for instance, is really a TLS certificate.

As at April 2021 there are two current versions of the TLS protocol: 1.2 and 1.3.

TLS ports

As said, TLS is used everywhere. Obviously, it is what puts the ‘S’ in ‘HTTPS’. It is also what enables secure email communication, secure FTP and SSH. The below table lists the most common protocols, together with the port number and whether or not TLS is used.

The FTP and SMTP protocols have two secure ports. FTPS (port 990) and SMTP over port 465 use explicit TLS. With explicit TLS the connection between a client and server is secured from the start. The connection fails if a secure connection can’t be established. This is different from implicit TLS (FTPES and SMTP over port 587). Implicit TLS starts with a plain text channel to allow the client and server to negotiate how to secure the channel. The logins are submitted only after the connection has been secured.

In particular SMTP over port 465 is a bit of an oddity. Officially, the port wasn’t used for secure SMTP for many years, but in practice it was used everywhere. You can use port 465 for SMTP on all our mail servers. However, you shouldn’t use port 990 for FTP – use FTPES instead.

Supported operating systems and clients

The reason why old TLS protocols stick around for so long is that many people use operating systems and/or software that lacks support for current TLS protocols. All operating systems and applications that are maintained support TLS 1.2. However, if you run a deprecated version of Windows or macOS then you may run into TLS errors when trying to connect to a server.

Windows

Windows 7, 8, 8.1 and 10 all have support for TLS 1.2. Please note that Windows XP and Vista are not supported. Also, you may run into TLS issues if you use Outlook on Windows 7 (you might see the error “Your server does not support the connection encryption type you have specified”). If so, you can install Windows update KB3140245. Of course, Windows 7 is no longer supported by Microsoft – upgrading the operating system is a better option.

macOS

On OS X, TLS 1.2 has been supported since version 10.9 (“Mavericks”). If you use Mac Mail for your email then you need to use at least version 10.12 (“Siera”). Thunderbird will work on 10.9.

Mavericks was released in 2013 and has been unsupported since 2016, while Siera appeared on the stage in 2016 and was deprecated in 2019.

Linux, BSD, Chrome OS

Any current Linux, Chrome OS or BSD operating system has support for TLS 1.2, as have email applications available in the repositories for these platforms.

Android

Android has had support for TLS 1.2 since version 4.0 (“Ice Cream Sandwich”). This version was launched in 2011 and reached end-of-life in December 2018.

iOS

iOS 10 and later versions all have good support for TLS 1.2. This means that all maintained versions of the operating system will work without problems.