[openssl-users] SSL version status
Nulik Nol
nuliknol at gmail.com
Wed Jan 27 21:00:32 UTC 2016
Thanks for the link!
This says it all:
" o Implementations MUST NOT negotiate SSL version 2.
Rationale: Today, SSLv2 is considered insecure [RFC6176].
o Implementations MUST NOT negotiate SSL version 3.
Rationale: SSLv3 [RFC6101] was an improvement over SSLv2 and
plugged some significant security holes but did not support strong
cipher suites.
"
On Wed, Jan 27, 2016 at 1:52 PM, Viktor Dukhovni
<openssl-users at dukhovni.org> wrote:
>
>> On Jan 27, 2016, at 8:56 AM, Nulik Nol <nuliknol at gmail.com> wrote:
>>
>> How much old browsers are out there that
>> still use older SSL versions? Because, Wikipedia says SSL 3.0 was
>> deprecated by Jun 2015 but if I only implement TLS, I may lose many
>> visitors with old browsers, right ?
>
> You do not have to enable SSLv3. It is use is exceedingly rare
> these days. You will not lose interoperability with a non-negligible
> number of clients. Make sure SSLv2 and SSLv3 are both disabled.
>
> See https://tools.ietf.org/html/rfc7525 for guidelines.
>
> --
> Viktor.
>
>
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
More information about the openssl-users
mailing list