From owner-freebsd-security@FreeBSD.ORG  Thu May 14 17:23:13 2015
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id D8916F69
 for <freebsd-security@freebsd.org>; Thu, 14 May 2015 17:23:13 +0000 (UTC)
Received: from mail-in6.apple.com (mail-out6.apple.com [17.151.62.28])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A6527188F
 for <freebsd-security@freebsd.org>; Thu, 14 May 2015 17:23:13 +0000 (UTC)
Received: from relay7.apple.com (relay7.apple.com [17.128.113.101])
 by mail-in6.apple.com (Apple Secure Mail Relay) with SMTP id
 DD.CB.09025.00AD4555; Thu, 14 May 2015 10:23:12 -0700 (PDT)
X-AuditID: 11973e15-f79fd6d000002341-d2-5554da00d9ac
Received: from [17.149.228.53] (Unknown_Domain [17.149.228.53])
 (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by relay7.apple.com (Apple SCV relay) with SMTP id 6B.7F.14260.8C9D4555;
 Thu, 14 May 2015 10:22:16 -0700 (PDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Subject: Re: Forums.FreeBSD.org - SSL Issue?
From: Charles Swiger <cswiger@mac.com>
In-Reply-To: <5554BE22.1000407@denninger.net>
Date: Thu, 14 May 2015 10:23:12 -0700
Cc: freebsd-security@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <C38C48B4-D0AD-450E-A6B4-CCBBFFD0925D@mac.com>
References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com>
 <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com>
 <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net>
 <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net>
 <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com>
 <CAKE2PDtM6q14q2BdmB5PNht=Q3Q0VQRh64nh1Lfd9Y9uCryibw@mail.gmail.com>
 <C6A26209-6DB6-4842-9810-B670E3461AAE@patpro.net>
 <5554BE22.1000407@denninger.net>
To: Karl Denninger <karl@denninger.net>
X-Mailer: Apple Mail (2.2098)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrLLMWRmVeSWpSXmKPExsUi2FCYqstwKyTUYO1vBYueTU/YLO79uMLm
 wOSx/uA3Jo8Zn+azBDBFcdmkpOZklqUW6dslcGXMXrCKteAHR8WbTfvZGhib2LsYOTkkBEwk
 5m/pYIawxSQu3FvP1sXIxSEksI9R4mHncTaYoiWzNrNAJKYySXR23gfrYBbQk9hx/RcriM0L
 ZD96+hhsqrCAjsSrmW2MXYwcHGwCahITJvKAhDkFdCVe7noD1soioCoxaUcvK8QYBYnJ879D
 jdSWWLbwNTPESCuJNQfWsYDYQgI3mSV+bC8CsUUE1CUWLVzJDDJeQkBW4utWOYgzv7JKNJ7J
 m8AoNAvJcbOQHDcLyYYFjMyrGIVyEzNzdDPzzPQSCwpyUvWS83M3MYLCd7qd6A7GM6usDjEK
 cDAq8fC+cAgJFWJNLCuuzD3EKM3BoiTOq3sZKCSQnliSmp2aWpBaFF9UmpNafIiRiYNTqoFR
 LK4wJU/q0hWt2o38DTvmnL6tLMIhoih+gkmSy+ud07MffWf0Vh1K6K05cGTu8/Lp3RnvPK8d
 FuJrd15wdo/cxMuJLGvfqXc9ufA2Tii+nCUi909Ye+szJ78LT9Pfrd5hKXuhz5hP2+bllfYn
 GksOSPku0IgK2Hc8ViRp1e+K//+rrMwmbPmnxFKckWioxVxUnAgAfLgTS0ACAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrILMWRmVeSWpSXmKPExsUiOPWJqe6JmyGhBl82mlj0bHrCZnHvxxU2
 ByaP9Qe/MXnM+DSfJYApissmJTUnsyy1SN8ugStj9oJVrAU/OCrebNrP1sDYxN7FyMkhIWAi
 sWTWZhYIW0ziwr31bF2MXBxCAlOZJDo77zODJJgF9CR2XP/FCmLzAtmPnj4GaxYW0JF4NbON
 sYuRg4NNQE1iwkQekDCngK7Ey11vwFpZBFQlJu3oZYUYoyAxef53qJHaEssWvmaGGGklsebA
 OrAbhARuMkv82F4EYosIqEssWriSGWS8hICsxNetchMY+WchOWgWkoNmIZm6gJF5FaNAUWpO
 YqW5XmJBQU6qXnJ+7iZGUMA1FKbuYGxcbnWIUYCDUYmH94VDSKgQa2JZcWXuIUYJDmYlEV7x
 G0Ah3pTEyqrUovz4otKc1OJDjNIcLErivKVbvUOFBNITS1KzU1MLUotgskwcnFINjMuW3ld+
 rf31yx5phr/+Cz9s+V7Od5rR7dSR6h9O9WFJGjZ91mt2rTuy7n1u17zjh/Pv6j76nNGaKK/d
 oCJsd/HhxO2zTv/auHe62mEntckK5/3FbDPOLDD6Ob+jWbHlFbdv6N0VOZ3PfQMk7oQvtbhV
 HVTEphe+obCk4GHPNC0n1p1zC6UNzyixFGckGmoxFxUnAgAz7uf1NAIAAA==
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2015 17:23:14 -0000

On May 14, 2015, at 8:24 AM, Karl Denninger <karl@denninger.net> wrote:
> [ ... ]
> I'd love to lock out TLS 1.0 but if you do that anyone still running
> anything that uses XP cannot connect.

True for WinXP + IE6:

   =
https://www.ssllabs.com/ssltest/viewClient.html?name=3DIE&version=3D6&plat=
form=3DXP

However, large financial institutions like the major banks and large =
e-commerce
sites have disabled SSL v2 and SSL v3.  Folks still on XP will need to =
use IE8,
Firefox, Chrome, etc if they want to talk to many secure websites.

> There ARE people out there still using that in the wild.  Not a huge
> number, but a material number.  On several relatively large systems I
> monitor the "in the wild" user count for Windows XP is still around 4%
> of all users to the sites.
>=20
> Same problem with RC4.  I'd love to lock that out too, but see above =
--
> that means 4% of the users can't connect (at all.)

WinXP + IE6 or IE8 should be the only common client which has RC4-SHA
or RC4-MD5 as the best supported cipher.  Everything else should support
AES128-SHA or better.

Regards,
--=20
-Chuck