Date: Thu, 14 May 2015 10:23:12 -0700 From: Charles Swiger <cswiger@mac.com> To: Karl Denninger <karl@denninger.net> Cc: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? Message-ID: <C38C48B4-D0AD-450E-A6B4-CCBBFFD0925D@mac.com> In-Reply-To: <5554BE22.1000407@denninger.net> References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com> <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> <CAKE2PDtM6q14q2BdmB5PNht=Q3Q0VQRh64nh1Lfd9Y9uCryibw@mail.gmail.com> <C6A26209-6DB6-4842-9810-B670E3461AAE@patpro.net> <5554BE22.1000407@denninger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On May 14, 2015, at 8:24 AM, Karl Denninger <karl@denninger.net> wrote: > [ ... ] > I'd love to lock out TLS 1.0 but if you do that anyone still running > anything that uses XP cannot connect. True for WinXP + IE6: https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=6&platform=XP However, large financial institutions like the major banks and large e-commerce sites have disabled SSL v2 and SSL v3. Folks still on XP will need to use IE8, Firefox, Chrome, etc if they want to talk to many secure websites. > There ARE people out there still using that in the wild. Not a huge > number, but a material number. On several relatively large systems I > monitor the "in the wild" user count for Windows XP is still around 4% > of all users to the sites. > > Same problem with RC4. I'd love to lock that out too, but see above -- > that means 4% of the users can't connect (at all.) WinXP + IE6 or IE8 should be the only common client which has RC4-SHA or RC4-MD5 as the best supported cipher. Everything else should support AES128-SHA or better. Regards, -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C38C48B4-D0AD-450E-A6B4-CCBBFFD0925D>