On Sat, Jul 09, 2022 at 02:30:03PM -0600, Cullen Jennings wrote:
> and there is a section labeled "TLS, old and new” which has a table that
> lists TLS 1.1 at zero.
>
> It also references a more specific file at
> https://crawler.ninja/files/protocols.txt which currently has the following
> in that file
>
> TLS Protocol Versions:
> TLSv1.3 386,472
> TLSv1.2 179,549
> TLSv1.0 515
There's a difference between offering TLS 1.1 and actually in practice
*negotiating* TLS 1.1. For various timing reasons, many systems gained
support (via e.g. OpenSSL) for both TLS 1.1 and TLS 1.2 in the same
software release. As a result, such a software stack will in practice
always negotiate TLS 1.2. You have to go out of your way to elicit a
TLS 1.1 handshake from these systems.
> Again implying 1.1 is at 0. If this is supposed to represent the
> number of sites that offer 1.1, out of the top million, well, I think
> it wrong. I also don’t think what web sites are are offering a given
> version is a very great metric to estimate what non browsers TLS
> client applications are using but that is a different issue.
Again, offer != negotiate. Here's an example:
$ posttls-finger -c -Lsummary -l secure -F /etc/ssl/cert.pem -p TLSv1.1
"[smtp.gmail.com]:587"
posttls-finger: Verified TLS connection established to
smtp.gmail.com[142.251.16.108]:587: TLSv1.1 with cipher ECDHE-ECDSA-AES128-SHA
(128/128 bits)
which is far from saying that "smtp.gmail.com" will routinely negotiate
TLS 1.1 when not constrained to a ceiling of 1.1. Measurements of the
*maximum* supported version very rarely encounter TLS 1.1.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
