What is StartTLS? known also as Opportunistic TLS


StartTLS or Opportunistic TLS is a communication pattern that secures the traffic in the middle of a plaintext connection.

It is different from SSL/TLS, which secures the traffic from the beginning of the connection.


It's used in cases where the server supports both:

  • and clear connections.

For instance, SMTP is not secured by default, which means that if you were to send an email over SMTP without StartTLS the email could be intercepted and easily interpreted.


StartTLS is composed of three steps:

  • A Client sends a StartTLS request to a server
  • A Server sends a StartTLS response to the client.
  • Client begins SSL/TLS handshake.


Example of SMTP scenario

S: 220 mail.example.org ESMTP service ready  # <-- The server presents itself
C: EHLO client.example.org # <-- The client presents itself
S: 250-mail.example.org offers a warm hug of welcome  # <-- The server welcomes
S: 250 STARTTLS # <-- The server makes StartTls mandatory
C: STARTTLS  # <-- The StartTls client request
S: 220 Go ahead # <-- The server is ready for the handshake
C: <starts TLS negotiation> 
C & S: <negotiate a TLS session>
C & S: <check result of negotiation>
C: EHLO client.example.org # <-- The connection is secured


If you implement a server, you need to:

  • Create a new SSL/TLS Handler,
  • Insert it into your network traffic handler, and
  • Write a StartTLS response so that the client can begin the SSL handshake

The client-side implementation is much simpler.

  • Write a StartTLS request,
  • Wait for the StartTLS response,
  • Create a new SSL/TLS Handler and Initiate SSL handshake.


Discover More
How to send an email at the command line with SMTP? Email transaction explained

This page is a how-to that describes how you can transport an email to a SMTP server at the command line using the SMTP protocol for further delivery It will show you the inner mechanisms of SMTP. Below...
Tls Version Firefox
Network - TLS

TLS is a cryptographic protocol and the successor to SSL, and is described in the 2246RFC 2246 standard. The protocol name was changed from SSL to TLS when it became a standard. TLS is a protocol that...
Gmail Tls Security
Postfix - TLS (SSL) configuration

Transport Layer Security (TLS, formerly called SSL) with Postfix It provides: certificate-based authentication and encrypted sessions. An encrypted session protects the information that is transmitted:...
The SMTP Protocol

A summary of what the SMTP protocol is and how to send an email from a network connection with telnet or netcat
What are the SMTP Ports? (25, 465, 587)

This article regroups all information and configuration around this subject

Share this page:
Follow us:
Task Runner