[openssl-users] SSL version status

Nulik Nol nuliknol at gmail.com
Wed Jan 27 21:00:32 UTC 2016

Thanks for the link!
This says it all:
" o Implementations MUST NOT negotiate SSL version 2.

      Rationale: Today, SSLv2 is considered insecure [RFC6176].

   o  Implementations MUST NOT negotiate SSL version 3.

      Rationale: SSLv3 [RFC6101] was an improvement over SSLv2 and
      plugged some significant security holes but did not support strong
      cipher suites.

On Wed, Jan 27, 2016 at 1:52 PM, Viktor Dukhovni
<openssl-users at dukhovni.org> wrote:
>> On Jan 27, 2016, at 8:56 AM, Nulik Nol <nuliknol at gmail.com> wrote:
>> How much old browsers are out there that
>> still use older SSL versions? Because, Wikipedia says SSL 3.0 was
>> deprecated by Jun 2015 but if I only implement TLS, I may lose many
>> visitors with old browsers, right ?
> You do not have to enable SSLv3.  It is use is exceedingly rare
> these days.  You will not lose interoperability with a non-negligible
> number of clients.  Make sure SSLv2 and SSLv3 are both disabled.
> See https://tools.ietf.org/html/rfc7525 for guidelines.
> --
>         Viktor.
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list