Lutz Jaenicke wrote: > A server not having a certificate suitable for its cipher suite or not having > a certificate at all (leaving out the anonymous case here) will not be able to > complete the TLS handshake. > Hence it has the choice to either > a) not advertise STARTTLS in the first place > b) advertise STARTTLS but then send the 454 response when actually trying to > start the TLS handshake. > Alternative b) makes sense to me, if the administrator actually wants to > use STARTTLS but has made some configuration error and the server software > notices this error. > I think this is more consistant than alternative a) which would ignore the > intention of the administrator by simply not advertising STARTTLS. Who said the administrator stated an intention? The situation I've seen is where the server software implements STARTTLS, advertising it out of the box with the administrator's having taken no action other than to install the software. In such a case there is no cert and STARTTLS cannot possibly complete a handshake, yet clients which implement STARTTLS are penalized with an extra round trip when talking to such servers.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature