[SSL Observatory] TLS 1.1/1.2 support
Erwann ABALEA
erwann at abalea.com
Mon Aug 22 10:58:16 PDT 2011
2011/8/22 Larry Seltzer <larry at larryseltzer.com>:
> From the presentation: "Lack of support for TLS v1.1 and v1.2 is a
> cause for concern"
>
> Why? It looks like very few people care.
Very few, but on what surface? As PKI operator employee, when we want
to deploy our solutions, the customer often asks about TLS1.1 and 1.2
support, or EDH group larger or equal to 2048 bits, or some
enforcement that a 3DES key won't be used to encrypt more that 1GB of
data.
I agree that Mr John Doe doesn't care about TLS1.2, even if Mr John
Doe has to setup a web server for his company. He probably will buy a
low-cost certificate, with "mailserver" encoded in the SAN, and that's
it.
After all, Mr John Doe doesn't care about having his certificate
signed with sha256withRSA or md5withRSA. That doesn't mean it's not a
cause for concern :)
> BTW, Windows 7 and Windows Server 2008 R2 support it out of the box on
> the client side, but would it necessarily follow that IIS supports it
> as a server?
It does. GNUTLS does also (and hence, mod_gnutls for Apache).
--
Erwann.
More information about the Observatory
mailing list