----- Original Message ----- > From: "Kurt Roeckx" <k...@roeckx.be> > To: openssl-dev@openssl.org > Sent: Saturday, 28 June, 2014 8:05:21 PM > Subject: Re: SSLv2 & SSLv3 > > > The most recent stats about servers I know about is: > https://lists.fedoraproject.org/pipermail/security/2014-April/001810.html
There are newer from June: https://lists.fedoraproject.org/pipermail/security/2014-June/001945.html (it looks though like enabling SNI made SSLv2 sites drop off, I'll see if I can do something about it next month) And a bit older from May: https://lists.fedoraproject.org/pipermail/security/2014-May/001853.html But as Steven said, SSLv2 won't be enabled client or server side if the default cipher order is not modified to include SSLv2 ciphers so there is limited gain in disabling SSLv2. As far as misconfigured servers go, single DES and export grade ciphers are much, much more common problem at 20% and 15% respectively. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: hka...@redhat.com Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org