On Thursday, May 28, 2015 12:35 PM Lukas Tribus wrote: > > What about other clients (ie. browsers running on different OS > > combinations) - especially legacy systems? > > If your refer to long EOL'ed system, then they probably don't support DHE at > all.
Alas EOL'ed systems doesn't hinder its use - even if it unwise.. We've also got customers who I know are paying extortionately large amounts of money to Microsoft for continued Windows XP support.. > > Will IE7 on Windows XP have problems if I change to a 2048 or even a 4096 > > DH group? > > Scannel on Windows XP doesn't support DHE with RSA, therefor IE6/7/8 will > connect just > fine (without FS). I assume you mean Schannel, and yes - I just did a small test on a public low volume site using a VM based IE7 and SSLLabs SSLTest[1], and can see that both IE7 and IE8 on Windows XP uses the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA (the OpenSSL name is DES-CBC3-SHA) when connecting. As far as I can see the only client that cannot connect in that test is a Java 1.6 based one - all others are fine (just as you said). A follow up question: How much dos the size of my chosen DH group affect clients and the server when negotiating the connection? The SSLLabs test did not take any longer using a 4096 bit DH group instead of a 2048bit one. Could I (at least in theory) make a 8192 bit DH group, and not expect any performance problems? Regards, Jens Dueholm Christensen Survey IT [1]: https://www.ssllabs.com/ssltest/index.html