On Wed, Jul 20, 2016 at 11:20:46AM +0200, Hubert Kario wrote: > > So I have partial results after scanning around 14 000 domains. > The scanner was able to connect to 12 606 hosts that presented unexpired > certificates signed by CA's in Mozilla root program. > > Of those: > 93% support TLSv1.2 protocol (11807) > a single one is intolerant to TLSv1.2 Client Hello > 3.7% (469) are intolerant to TLSv1.3 Client Hello > 4.4% (556) are intolerant to TLSv1.4 Client Hello > > (by intolerant, I mean, I was not able to connect to them with any hello > message that looked like an IE, Chrome or Firefox Client Hello with just > version changed or additionally some or all extensions removed) > > at the same time, 15.5% (1965) are intolerant to an "Xmas tree" Client > Hello (one that includes many ciphers, few TLSv1.3 key shares, etc. bringing > its size to something like 2800 bytes)
Wonder how big part of the difference is due to steps (eg. 1024 and 2048 bytes) in between and how much is due to the extra extensions or cihpers. > 49% (6240) are intolerant to a Client Hello with no extensions but > big number of ciphers that bring its size to 16388 bytes) > 91.5% (11539) are intolerant to a Client Hello with no extensions > but a number of ciphers that bring it well above single record layer limit > (16.5KiB) Wonder how much of that is again size thresholds (in Ciphersuites and in total ClientHello size) and how much is fragmenting the Client Hello to multiple fragments... -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
