On 1/27/2016 07:56, Nulik Nol wrote: > Hi, > I have to implement SSL/TLS in a proprietary web server daemon. I am > only familiar with SSL as a user, not as developer, so my question is. > What versions of SSL should I support for best compatibility and > optimal development time? How much old browsers are out there that > still use older SSL versions? Because, Wikipedia says SSL 3.0 was > deprecated by Jun 2015 but if I only implement TLS, I may lose many > visitors with old browsers, right ? > > Please advise. > TIA > Nulik Some, to use a single word. Not many though.
The notable problems come from very old mobile handsets (e.g. Froyo and similar Android). I have about 3% of my users on systems I manage still hitting them from XP machines as an example of "old", which are potential issues in this regard, BUT TLS1.0 is supportable by XP -- so shutting off SSL3 won't kill those users. There are a smattering of machines that still hit my sites running Windows 98, however (well under 1%), believe it or not. Be aware that the OpenSSL defaults when you define a server context are inappropriate for most purposes and thus you have to do a bit more work when programming a server to get a reasonably-secure environment than when connecting using OpenSSL as a client. Specifically, be aware of issues surrounding client renegotiation requests (which can turn into a denial-of-service problem) and how you handle Diffie-Hellman (if you choose to load said keys) along with the ECDH cipher set. For a server you also have to consider whether you're going to multiplex or multithread as OpenSSL requires some additional attention at the programming level (for locking) in a threaded application. -- Karl Denninger k...@denninger.net <mailto:k...@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
