[SSL Observatory] TLS 1.1/1.2 support
George Macon
george.macon at gmail.com
Sun Aug 21 18:23:37 PDT 2011
Since the observatory raw data consists of SSL Handshakes, this data
exists (but was not pulled into the MySQL dumps, IIRC). When I was
analyzing the data at the beginning of this year, I found these results
over all hosts:
tls_version_desc | num_hosts
------------------+-----------
TLS 1.0 | 10827002
SSL 3.0 | 512309
TLS 1.1 | 1
(3 rows)
I don't remember (and can't find in my notes) what version was offered
by the client to the server. On the other hand, it seems to me unlikely
that a server supporting 1.2 and offered 1.1 would negotiate 1.0, so
it's probably safe to conclude that when the first scan was completed,
no one was supporting 1.1 or 1.2. (One host out of 10 million doesn't
count :)
On 8/21/11 6:51 PM, Larry Seltzer wrote:
> I recently noticed that Firefox appears to support only TLS 1.0, not
> 1.1 or 1.2. Windows (and therefore IE) only began supporting 1.1 and
> 1.2 in Windows 7, but they are turned off by default. The reason why
> is in this blog post:
> http://blogs.msdn.com/b/ieinternals/archive/2011/03/25/misbehaving-https-servers-impair-tls-1.1-and-tls-1.2.aspx
>
> It explains that many older HTTPS servers freak out at 1.1 and 1.2
> clients and return a "Fatal Alert: Protocol Version" error.
>
> Perhaps SSL/TLS version support would be a good feature for future scans.
>
> LJS
More information about the Observatory
mailing list