Re: [TLS] interop for TLS clients proposing TLSv1.1

"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Wed, 21 September 2011 21:29 UTC

Return-Path: <yngve@opera.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EF3711E80C5 for <tls@ietfa.amsl.com>; Wed, 21 Sep 2011 14:29:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.527
X-Spam-Level:
X-Spam-Status: No, score=-5.527 tagged_above=-999 required=5 tests=[AWL=-1.228, BAYES_00=-2.599, MANGLED_LOW=2.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AkpJFsZk9jVR for <tls@ietfa.amsl.com>; Wed, 21 Sep 2011 14:29:37 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by ietfa.amsl.com (Postfix) with ESMTP id 58D2F11E80AA for <tls@ietf.org>; Wed, 21 Sep 2011 14:29:37 -0700 (PDT)
Received: from acorna.oslo.osa (pat-tdc.opera.com [213.236.208.22]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p8LLW4RE003727 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 21 Sep 2011 21:32:05 GMT
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
To: tls@ietf.org, "Martin Rex" <mrex@sap.com>
References: <201109212048.p8LKmXnH014242@fs4113.wdf.sap.corp>
Date: Wed, 21 Sep 2011 23:32:12 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
Message-ID: <op.v16gryhlqrq7tp@acorna.oslo.osa>
In-Reply-To: <201109212048.p8LKmXnH014242@fs4113.wdf.sap.corp>
User-Agent: Opera Mail/10.63 (Win32)
Subject: Re: [TLS] interop for TLS clients proposing TLSv1.1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Sep 2011 21:29:38 -0000

On Wed, 21 Sep 2011 22:48:33 +0200, Martin Rex <mrex@sap.com> wrote:

> Does anyone (SSL Labs, Opera, others) have any figures/stats about the
> current "TLSv1.1 version (in)tolerance" for TLS servers on the public
> internet?

This week's test of 609726 servers gave these numbers:

   * 1.145% of the probed servers were version intolerant for at least one  
of the current TLS versions (1.0, 1.1, 1.2)
   * 1.742% were extension intolerant for the same versions
   * 1.136% belonged in both groups

This gives an estimated total of 1.751% that are either version and/or  
extension intolerant for the currently defined TLS versions.

These numbers have been decreasing during the past year and a half, around  
January 2011 it was 1.951% just for the version intolerant, 2.657% in may  
2010 (the extension numbers are not as detailed for those runs).

Most of the version intolerant are intolerant for TLS 1.1 and TLS 1.2, but  
some are SSLv3 only servers that are also intolerant for TLS 1.0. There is  
even a 0.007% share that support TLS 1.1 (quite a lot of which has "vpn"  
as the hostname).

If Opera encounters an intolerant server it will shut down the connection  
and fall back step by step.

Essentially, the fallback sequence is currently	

   TLS 1.0 + extensions
   TLS 1.0 w/o extensions
   SSL v3

Upwards it is v1.1 and v1.2, and fallback if negotiation failed.



-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01
********************************************************************