[jdev] SSL/TLS versions

Dave Cridland dave at cridland.net
Fri Nov 15 09:35:36 UTC 2013


On Fri, Nov 15, 2013 at 8:55 AM, Kevin Smith <kevin at kismith.co.uk> wrote:

> On Fri, Nov 15, 2013 at 2:33 AM, Peter Saint-Andre <stpeter at stpeter.im>wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Matthew Wild has run some analytics on SSL/TLS versions negotiated
>> over a period of time at the jabber.org XMPP service. The percentages
>> were roughly as follows:
>>
>> TLS 1.0 72%
>> TLS 1.2 21%
>> TLS 1.1  4%
>> SSLv3    3%
>>
>> Two points:
>>
>> 1. I'm disappointed that TLS 1.2 is still only ~20%. But that might be
>> driven by operating systems, not XMPP clients.
>>
>> 2. I wonder if some XMPP clients still cannot do TLS and therefore use
>> SSLv3 instead. Or is that too driven by operating systems?
>>
>> I'd have thought that for both of these it's either the OpenSSL from the
> OS, the OS facility itself, or the OpenSSL that got bundled. It seems
> unlikely that any XMPP clients are implementing their crypto layers
> themselves.
>

At a guess, it'll be clients doing SSLv3_method instead of SSLv23_method,
rather than any platform inability.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20131115/6a502092/attachment-0001.html>


More information about the JDev mailing list