Forums.FreeBSD.org - SSL Issue?
Charles Swiger
cswiger at mac.com
Thu May 14 17:23:14 UTC 2015
On May 14, 2015, at 8:24 AM, Karl Denninger <karl at denninger.net> wrote:
> [ ... ]
> I'd love to lock out TLS 1.0 but if you do that anyone still running
> anything that uses XP cannot connect.
True for WinXP + IE6:
https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=6&platform=XP
However, large financial institutions like the major banks and large e-commerce
sites have disabled SSL v2 and SSL v3. Folks still on XP will need to use IE8,
Firefox, Chrome, etc if they want to talk to many secure websites.
> There ARE people out there still using that in the wild. Not a huge
> number, but a material number. On several relatively large systems I
> monitor the "in the wild" user count for Windows XP is still around 4%
> of all users to the sites.
>
> Same problem with RC4. I'd love to lock that out too, but see above --
> that means 4% of the users can't connect (at all.)
WinXP + IE6 or IE8 should be the only common client which has RC4-SHA
or RC4-MD5 as the best supported cipher. Everything else should support
AES128-SHA or better.
Regards,
--
-Chuck
More information about the freebsd-security
mailing list