m...@sap.com (Martin Rex) wrote: > Andrei Popov <Andrei.Popov=40microsoft....@dmarc.ietf.org> wrote: >> >> On the recent Windows versions, TLS 1.0 is negotiated more than 10% >> of the time on the client side (this includes non-browser connections >> from all sorts of apps, some hard-coding TLS versions), >> and TLS 1.1 accounts for ~0.3% of client connections. > > "On recent Windows versions" sounds like figure might not account > for Windows 7 and Windows Server 2008R2, about half of the installed > base of Windows, and where the numbers are likely *MUCH* higher. > > When troubleshooting TLS handshake failures, I sometimes trying > alternative SSL/TLS clients on customer machines through remote support, > and it seems when I run this command on a Windows 2012R2 server: > > powershell "$web=New-Object System.Net.WebClient ; > $web.DownloadString('https://www.example.com/')" 2>&1 > > it connects with TLSv1.0 only, and this is a client-side limitation. > > To make it use TLSv1.2, I would have to use > > powershell "[Net.ServicePointManager]::SecurityProtocol = > [Net.SecurityProtocolType]::Tls12 ; $web=New-Object System.Net.WebClient ; > $web.DownloadString('https://www.example.com/')" 2>&1 > > i.e. explicit opt-in.
btw. I checked this on a Windows 10 (1709) machine, and it's powershell also tries connecting with TLSv1.0 only. To me, it looks more like 100% of the Microsoft Windows installed base not being ready for a TLSv1.2-only world. -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls