[SSL Observatory] TLS 1.1/1.2 support

Ivan Ristic ivan.ristic at gmail.com
Mon Aug 22 23:45:04 PDT 2011 

On Mon, Aug 22, 2011 at 7:45 PM, Larry Seltzer <larry at larryseltzer.com> wrote:
> From the presentation: "Lack of support for TLS v1.1 and v1.2 is a
> cause for concern"
>
> Why? It looks like very few people care.

I am concerned because -- judging from the pace of the renegotiation
patching -- it takes 1-2 years for most people to path their TLS
stacks. Deploying workarounds or reconfiguring is _much_ faster. Thus
I think it's overall safer to be working with protocols that provide
support for a more diverse set of primitives.


> BTW, Windows 7 and Windows Server 2008 R2 support it out of the box on
> the client side, but would it necessarily follow that IIS supports it
> as a server?

AFAIK, Windows Server supports TLS 1.2, but it won't speak it by
default. It needs to be explicitly told to use it.


> On Mon, Aug 22, 2011 at 12:58 PM, Ivan Ristic <ivan.ristic at gmail.com> wrote:
>>
>> The most recent results are from April 2011:
>>
>> http://blog.ivanristic.com/2011/04/fresh-internet-ssl-survey-results-april-2011-available.html
>>
>> Protocol analysis is on slide 30. Of course, little changed from 2010,
>> the support for TLS 1.1 and TLS 1.2 is virtually non-existent.
>>
>>
>> On Mon, Aug 22, 2011 at 9:47 AM, Peter Gutmann
>> <pgut001 at cs.auckland.ac.nz> wrote:
>> > Erwann ABALEA <erwann at abalea.com> writes:
>> >
>> >>SSLLabs from Qualys gives a rating of your website SSL configuration, after
>> >>some tests. It can also detect TLS1.1/1.2, and detect a bogus answer to a
>> >>nonexistent TLS version (3.99).
>> >
>> > Ahh, good point.  The last figures they published were for Black Hat 2010, for
>> > which there were a few hundred TLS 1.1 servers and effectively zero TLS 1.2
>> > servers (less than a dozen, probably most or even all test servers run by
>> > various vendors).  OTOH since both TLS 1.1 and 1.2 have been around for years
>> > the BH'10 figures are probably still pretty representative.
>> >
>> > Peter.
>> >
>>
>>
>>
>> --
>> Ivan Ristić
>



-- 
Ivan Ristić

More information about the Observatory mailing list