[SSL Observatory] TLS 1.1/1.2 support
Larry Seltzer
larry at larryseltzer.com
Sun Aug 21 19:09:13 PDT 2011
Wow, that's striking. I don't see a field named anything like
"tls_version_desc" in the December MySQL data and the "version" field
has nothing but '3' (meaning SSL 3.0 I presume) in it.
1.1 and 1.2 appear to be failures. I hope nobody's wasting their time
working on 1.3.
LJS
On Sun, Aug 21, 2011 at 9:23 PM, George Macon <george.macon at gmail.com> wrote:
> Since the observatory raw data consists of SSL Handshakes, this data
> exists (but was not pulled into the MySQL dumps, IIRC). When I was
> analyzing the data at the beginning of this year, I found these results
> over all hosts:
>
> tls_version_desc | num_hosts
> ------------------+-----------
> TLS 1.0 | 10827002
> SSL 3.0 | 512309
> TLS 1.1 | 1
> (3 rows)
>
> I don't remember (and can't find in my notes) what version was offered
> by the client to the server. On the other hand, it seems to me unlikely
> that a server supporting 1.2 and offered 1.1 would negotiate 1.0, so
> it's probably safe to conclude that when the first scan was completed,
> no one was supporting 1.1 or 1.2. (One host out of 10 million doesn't
> count :)
>
> On 8/21/11 6:51 PM, Larry Seltzer wrote:
>> I recently noticed that Firefox appears to support only TLS 1.0, not
>> 1.1 or 1.2. Windows (and therefore IE) only began supporting 1.1 and
>> 1.2 in Windows 7, but they are turned off by default. The reason why
>> is in this blog post:
>> http://blogs.msdn.com/b/ieinternals/archive/2011/03/25/misbehaving-https-servers-impair-tls-1.1-and-tls-1.2.aspx
>>
>> It explains that many older HTTPS servers freak out at 1.1 and 1.2
>> clients and return a "Fatal Alert: Protocol Version" error.
>>
>> Perhaps SSL/TLS version support would be a good feature for future scans.
>>
>> LJS
>
More information about the Observatory
mailing list