[openssl-users] SSL version status

Karl Denninger karl at denninger.net
Thu Jan 28 16:49:54 UTC 2016


On 1/27/2016 07:56, Nulik Nol wrote:
> Hi,
> I have to implement SSL/TLS in a proprietary web server daemon. I am
> only familiar with SSL as a user, not as developer, so my question is.
> What versions of SSL should I support for best compatibility and
> optimal development time? How much old browsers are out there that
> still use older SSL versions? Because, Wikipedia says SSL 3.0 was
> deprecated by Jun 2015 but if I only implement TLS, I may lose many
> visitors with old browsers, right ?
>
> Please advise.
> TIA
> Nulik
Some, to use a single word.  Not many though.

The notable problems come from very old mobile handsets (e.g. Froyo and
similar Android). I have about 3% of my users on systems I manage still
hitting them from XP machines as an example of "old", which are
potential issues in this regard, BUT TLS1.0 is supportable by XP -- so
shutting off SSL3 won't kill those users.

There are a smattering of machines that still hit my sites running
Windows 98, however (well under 1%), believe it or not.

Be aware that the OpenSSL defaults when you define a server context are
inappropriate for most purposes and thus you have to do a bit more work
when programming a server to get a reasonably-secure environment than
when connecting using OpenSSL as a client.  Specifically, be aware of
issues surrounding client renegotiation requests (which can turn into a
denial-of-service problem) and how you handle Diffie-Hellman (if you
choose to load said keys) along with the ECDH cipher set.  For a server
you also have to consider whether you're going to multiplex or
multithread as OpenSSL requires some additional attention at the
programming level (for locking) in a threaded application.

-- 
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160128/3ebed6ac/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2996 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160128/3ebed6ac/attachment.bin>


More information about the openssl-users mailing list