On Sat, Jul 09, 2022 at 02:30:03PM -0600, Cullen Jennings wrote: > and there is a section labeled "TLS, old and new” which has a table that lists TLS 1.1 at zero. > > It also references a more specific file at https://crawler.ninja/files/protocols.txt which currently has the following in that file > > TLS Protocol Versions: > TLSv1.3 386,472 > TLSv1.2 179,549 > TLSv1.0 515 There's a difference between offering TLS 1.1 and actually in practice *negotiating* TLS 1.1. For various timing reasons, many systems gained support (via e.g. OpenSSL) for both TLS 1.1 and TLS 1.2 in the same software release. As a result, such a software stack will in practice always negotiate TLS 1.2. You have to go out of your way to elicit a TLS 1.1 handshake from these systems. > Again implying 1.1 is at 0. If this is supposed to represent the > number of sites that offer 1.1, out of the top million, well, I think > it wrong. I also don’t think what web sites are are offering a given > version is a very great metric to estimate what non browsers TLS > client applications are using but that is a different issue. Again, offer != negotiate. Here's an example: $ posttls-finger -c -Lsummary -l secure -F /etc/ssl/cert.pem -p TLSv1.1 "[smtp.gmail.com]:587" posttls-finger: Verified TLS connection established to smtp.gmail.com[142.251.16.108]:587: TLSv1.1 with cipher ECDHE-ECDSA-AES128-SHA (128/128 bits) which is far from saying that "smtp.gmail.com" will routinely negotiate TLS 1.1 when not constrained to a ceiling of 1.1. Measurements of the *maximum* supported version very rarely encounter TLS 1.1. -- Viktor. -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
