[jdev] SSL/TLS versions
Dave Cridland
dave at cridland.net
Fri Nov 15 09:35:36 UTC 2013
On Fri, Nov 15, 2013 at 8:55 AM, Kevin Smith <kevin at kismith.co.uk> wrote:
> On Fri, Nov 15, 2013 at 2:33 AM, Peter Saint-Andre <stpeter at stpeter.im>wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Matthew Wild has run some analytics on SSL/TLS versions negotiated
>> over a period of time at the jabber.org XMPP service. The percentages
>> were roughly as follows:
>>
>> TLS 1.0 72%
>> TLS 1.2 21%
>> TLS 1.1 4%
>> SSLv3 3%
>>
>> Two points:
>>
>> 1. I'm disappointed that TLS 1.2 is still only ~20%. But that might be
>> driven by operating systems, not XMPP clients.
>>
>> 2. I wonder if some XMPP clients still cannot do TLS and therefore use
>> SSLv3 instead. Or is that too driven by operating systems?
>>
>> I'd have thought that for both of these it's either the OpenSSL from the
> OS, the OS facility itself, or the OpenSSL that got bundled. It seems
> unlikely that any XMPP clients are implementing their crypto layers
> themselves.
>
At a guess, it'll be clients doing SSLv3_method instead of SSLv23_method,
rather than any platform inability.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.jabber.org/jdev/attachments/20131115/6a502092/attachment-0001.html>
More information about the JDev
mailing list