On 1/27/2016 07:56, Nulik Nol wrote: > Hi, > I have to implement SSL/TLS in a proprietary web server daemon. I am > only familiar with SSL as a user, not as developer, so my question is. > What versions of SSL should I support for best compatibility and > optimal development time? How much old browsers are out there that > still use older SSL versions? Because, Wikipedia says SSL 3.0 was > deprecated by Jun 2015 but if I only implement TLS, I may lose many > visitors with old browsers, right ? > > Please advise. > TIA > Nulik Some, to use a single word. Not many though. The notable problems come from very old mobile handsets (e.g. Froyo and similar Android). I have about 3% of my users on systems I manage still hitting them from XP machines as an example of "old", which are potential issues in this regard, BUT TLS1.0 is supportable by XP -- so shutting off SSL3 won't kill those users. There are a smattering of machines that still hit my sites running Windows 98, however (well under 1%), believe it or not. Be aware that the OpenSSL defaults when you define a server context are inappropriate for most purposes and thus you have to do a bit more work when programming a server to get a reasonably-secure environment than when connecting using OpenSSL as a client. Specifically, be aware of issues surrounding client renegotiation requests (which can turn into a denial-of-service problem) and how you handle Diffie-Hellman (if you choose to load said keys) along with the ECDH cipher set. For a server you also have to consider whether you're going to multiplex or multithread as OpenSSL requires some additional attention at the programming level (for locking) in a threaded application. -- Karl Denninger karl at denninger.net <mailto:karl at denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/ -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160128/3ebed6ac/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2996 bytes Desc: S/MIME Cryptographic Signature URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160128/3ebed6ac/attachment.bin>
