<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 1/27/2016 07:56, Nulik Nol wrote:<br>
<blockquote
cite="mid:CAHO6xe94w-wjbtBpqyOvkpfrPYLvAKKi0pck43QcBNE13aPMRQ@mail.gmail.com"
type="cite">
<pre wrap="">Hi,
I have to implement SSL/TLS in a proprietary web server daemon. I am
only familiar with SSL as a user, not as developer, so my question is.
What versions of SSL should I support for best compatibility and
optimal development time? How much old browsers are out there that
still use older SSL versions? Because, Wikipedia says SSL 3.0 was
deprecated by Jun 2015 but if I only implement TLS, I may lose many
visitors with old browsers, right ?
Please advise.
TIA
Nulik
</pre>
</blockquote>
Some, to use a single word. Not many though.<br>
<br>
The notable problems come from very old mobile handsets (e.g. Froyo
and similar Android). I have about 3% of my users on systems I
manage still hitting them from XP machines as an example of "old",
which are potential issues in this regard, BUT TLS1.0 is supportable
by XP -- so shutting off SSL3 won't kill those users.<br>
<br>
There are a smattering of machines that still hit my sites running
Windows 98, however (well under 1%), believe it or not.<br>
<br>
Be aware that the OpenSSL defaults when you define a server context
are inappropriate for most purposes and thus you have to do a bit
more work when programming a server to get a reasonably-secure
environment than when connecting using OpenSSL as a client.
Specifically, be aware of issues surrounding client renegotiation
requests (which can turn into a denial-of-service problem) and how
you handle Diffie-Hellman (if you choose to load said keys) along
with the ECDH cipher set. For a server you also have to consider
whether you're going to multiplex or multithread as OpenSSL requires
some additional attention at the programming level (for locking) in
a threaded application.<br>
<br>
<div class="moz-signature">-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font>
</div>
</body>
</html>