Sent from my mobile device

> On Jul 10, 2018, at 4:31 PM, Martin Rex <m...@sap.com> wrote:
> 
> m...@sap.com (Martin Rex) wrote:
>> Andrei Popov <Andrei.Popov=40microsoft....@dmarc.ietf.org> wrote:
>>> 
>>> On the recent Windows versions, TLS 1.0 is negotiated more than 10%
>>> of the time on the client side (this includes non-browser connections
>>> from all sorts of apps, some hard-coding TLS versions),
>>> and TLS 1.1 accounts for ~0.3% of client connections.
>> 
>> "On recent Windows versions" sounds like figure might not account
>> for Windows 7 and Windows Server 2008R2, about half of the installed
>> base of Windows, and where the numbers are likely *MUCH* higher.
>> 
>> When troubleshooting TLS handshake failures, I sometimes trying
>> alternative SSL/TLS clients on customer machines through remote support,
>> and it seems when I run this command on a Windows 2012R2 server:
>> 
>>        powershell "$web=New-Object System.Net.WebClient ; 
>> $web.DownloadString('https://www.example.com/')" 2>&1
>> 
>> it connects with TLSv1.0 only, and this is a client-side limitation.
>> 
>> To make it use TLSv1.2, I would have to use
>> 
>>        powershell "[Net.ServicePointManager]::SecurityProtocol = 
>> [Net.SecurityProtocolType]::Tls12 ; $web=New-Object System.Net.WebClient ; 
>> $web.DownloadString('https://www.example.com/')" 2>&1
>> 
>> i.e. explicit opt-in.
> 
> 
> btw. I checked this on a Windows 10 (1709) machine, and it's powershell also
> tries connecting with TLSv1.0 only.
> 
> To me, it looks more like 100% of the Microsoft Windows installed
> base not being ready for a TLSv1.2-only world.
> 
Martin,

Do you want to add a PR with this unless further verification is needed?

Thank you,
Kathleen 

> 
> -Martin
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to