On May 14, 2015, at 8:24 AM, Karl Denninger <k...@denninger.net> wrote: > [ ... ] > I'd love to lock out TLS 1.0 but if you do that anyone still running > anything that uses XP cannot connect.
True for WinXP + IE6: https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=6&platform=XP However, large financial institutions like the major banks and large e-commerce sites have disabled SSL v2 and SSL v3. Folks still on XP will need to use IE8, Firefox, Chrome, etc if they want to talk to many secure websites. > There ARE people out there still using that in the wild. Not a huge > number, but a material number. On several relatively large systems I > monitor the "in the wild" user count for Windows XP is still around 4% > of all users to the sites. > > Same problem with RC4. I'd love to lock that out too, but see above -- > that means 4% of the users can't connect (at all.) WinXP + IE6 or IE8 should be the only common client which has RC4-SHA or RC4-MD5 as the best supported cipher. Everything else should support AES128-SHA or better. Regards, -- -Chuck _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
