On Tuesday, June 07, 2016 05:08:00 pm David Benjamin wrote: > On Tue, Jun 7, 2016 at 5:06 PM Yoav Nir <ynir.i...@gmail.com> wrote: > > > On 7 Jun 2016, at 8:33 PM, Hubert Kario <hka...@redhat.com> wrote: > > > On Tuesday 07 June 2016 17:36:01 Yoav Nir wrote: > > >> I’m not sure this helps. > > >> > > >> I’ve never installed a server that is version intolerant. TLS stacks > > >> from OpenSSL, Microsoft, > > > > > > are you sure about that Microsoft part? > > > > > > there is quite a long thread on the filezilla forums about TLS version > > > tolerance in IIS: > > > https://forum.filezilla-project.org/viewtopic.php?f=2&t=27898 > > > > That’s surprising. > > > > The last time I tested with an IIS servers it was Windows Server 2003 and > > 2008. They did not support TLS 1.2, so I wanted to check if they could > > tolerate a TLS 1.2 ClientHello. They did. Of course, they replied with TLS > > 1.0, but that was expected. > > > > It’s strange that this behavior would degrade for much newer versions of > > Windows that came out at a time where several browsers were already > > offering TLS 1.2. I wonder if it’s just the FTP or also IIS. > > This is the first I've heard of this and I believe neither Chrome nor > Firefox accept TLS 1.2 intolerance and below anymore. To my knowledge, that > has successfully been driven out of the ecosystem.
<insert sarcastic laughter here> ;) Driven out of the higher traffic mainstream ecosystem, maybe, but there will be a long tail of junk servers that stay around for entirely too long (read: "forever"), in spite of current versions of clients not accepting it anymore. My tracking meta-bug in Mozilla's Bugzilla may have finally been closed last month, but that's just tickets filed by people who can actually get a report into the thing. Most people just see such brokenness as the browser's fault and switch to any (older) browser with compatible brokenness, and to any of us they're invisible. The non-trivial population of servers that are TLS 1.0-1.2 version tolerant but not TLS 1.3+ version tolerant is a far more worrying problem, though. Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
