IETF Logo Mail Archive

Re: [TLS] publishing SSL 3.0 as historic

Martin Rex <mrex@sap.com> Tue, 15 February 2011 15:09 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B778F3A6D56 for <tls@core3.amsl.com>; Tue, 15 Feb 2011 07:09:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.205
X-Spam-Level:
X-Spam-Status: No, score=-10.205 tagged_above=-999 required=5 tests=[AWL=0.044, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Snk4Nyl9LSVX for <tls@core3.amsl.com>; Tue, 15 Feb 2011 07:09:46 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id B07503A6D54 for <tls@ietf.org>; Tue, 15 Feb 2011 07:09:45 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p1FFA7UL016749 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 15 Feb 2011 16:10:08 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201102151510.p1FFA7Rf019374@fs4113.wdf.sap.corp>
To: simon@josefsson.org
Date: Tue, 15 Feb 2011 16:10:07 +0100
In-Reply-To: <87vd0lbe2d.fsf@latte.josefsson.org> from "Simon Josefsson" at Feb 15, 11 02:52:10 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] publishing SSL 3.0 as historic
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Feb 2011 15:09:46 -0000

Simon Josefsson wrote:
> 
> Martin Rex <mrex@sap.com> writes:
> 
> > Ralph Holz wrote:
> >> 
> >> > Considering that a non-marginal fraction of the TLS protected communication
> >> > actually negotiates protocol version {0x03,0x00}, there is not reason for
> >> > a classification of "historic".
> >> 
> >> Not intending to take sides here, but from our own observations at a
> >> large ISP, SSLv3 seems to be chosen as a protocol version only for a
> >> very marginal fraction of connections. I can't quite remember the
> >> numbers, but it was something around 0.1% or less. I can look it up, if
> >> you want.
> >
> > That low number appears somewhat unrealistic to me.
> >
> > Microsoft Windows XP was shipped with SSLv2 enabled and TLSv1.0 disabled.
> 
> Service packs can make rather radical changes, are you sure an updated
> Windows XP still enable SSLv2?  If so, I'm hoping the next security
> update will disable it.

I do not have access to a sufficient variety of "virgin" installs.
My impression is that installation of MSIE7 (or later) might change
the defaults and disable SSLv2 and enable TLSv1.0.  I don't know about XPsp3.

With XPsp2+MSIE6 as well as Win2K3sp2+MSIE6 the original default applies.

-Martin

v2.23.0 | Report a Bug | By Email