On Tue, Nov 19, 2024 at 00:48:48 +1100, Viktor Dukhovni via mailop wrote:
> Top 10 TLS protocol/cipher/cert choices among DANE MX hosts seen by the
> survey (https://stats.dnssec-tools.org):
>
> 30421 TLS 1.3 with TLS_AES_256_GCM_SHA384,X25519,PubKeyALG_RSA
> --> 3738 TLS 1.3 with TLS_AES_256_GCM_SHA384,X25519,PubKeyALG_EC
> 1291 TLS 1.3 with TLS_AES_256_GCM_SHA384,P256,PubKeyALG_RSA
> 1021 TLS 1.2 with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,P256
> 919 TLS 1.3 with TLS_AES_256_GCM_SHA384,P384,PubKeyALG_RSA
> 793 TLS 1.2 with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,X25519
> --> 714 TLS 1.2 with TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,X25519
> 364 TLS 1.2 with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,P384
> --> 305 TLS 1.3 with TLS_AES_256_GCM_SHA384,P256,PubKeyALG_EC
> 180 TLS 1.2 with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,X25519
>
> As you can see EC is used at just around 10% of these MX hosts. So
> certainly widely enough that one can expect most senders to support EC,
> but at the margins RSA is still "safer".
I think most of those, at least including gmail.com, use dual (ECC+RSA)
certs, typically with preference for ECC, so "support ECC" doesn't mean
"not support RSA".
From sniffing TLS handshakes in SMTP connections for supported ciphers,
the ones supporting only RSA were mostly banks...
Geert
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
