m...@sap.com (Martin Rex) wrote:
> Andrei Popov <Andrei.Popov=40microsoft....@dmarc.ietf.org> wrote:
>>
>> On the recent Windows versions, TLS 1.0 is negotiated more than 10%
>> of the time on the client side (this includes non-browser connections
>> from all sorts of apps, some hard-coding TLS versions),
>> and TLS 1.1 accounts for ~0.3% of client connections.
>
> "On recent Windows versions" sounds like figure might not account
> for Windows 7 and Windows Server 2008R2, about half of the installed
> base of Windows, and where the numbers are likely *MUCH* higher.
>
> When troubleshooting TLS handshake failures, I sometimes trying
> alternative SSL/TLS clients on customer machines through remote support,
> and it seems when I run this command on a Windows 2012R2 server:
>
> powershell "$web=New-Object System.Net.WebClient ;
> $web.DownloadString('https://www.example.com/')" 2>&1
>
> it connects with TLSv1.0 only, and this is a client-side limitation.
>
> To make it use TLSv1.2, I would have to use
>
> powershell "[Net.ServicePointManager]::SecurityProtocol =
> [Net.SecurityProtocolType]::Tls12 ; $web=New-Object System.Net.WebClient ;
> $web.DownloadString('https://www.example.com/')" 2>&1
>
> i.e. explicit opt-in.
btw. I checked this on a Windows 10 (1709) machine, and it's powershell also
tries connecting with TLSv1.0 only.
To me, it looks more like 100% of the Microsoft Windows installed
base not being ready for a TLSv1.2-only world.
-Martin
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
