On Wednesday, 20 July 2016 13:57:36 CEST Ilari Liusvaara wrote: > On Wed, Jul 20, 2016 at 11:20:46AM +0200, Hubert Kario wrote: > > So I have partial results after scanning around 14 000 domains. > > The scanner was able to connect to 12 606 hosts that presented unexpired > > certificates signed by CA's in Mozilla root program. > > > > Of those: > > 93% support TLSv1.2 protocol (11807) > > a single one is intolerant to TLSv1.2 Client Hello > > 3.7% (469) are intolerant to TLSv1.3 Client Hello > > 4.4% (556) are intolerant to TLSv1.4 Client Hello > > > > (by intolerant, I mean, I was not able to connect to them with any hello > > message that looked like an IE, Chrome or Firefox Client Hello with just > > version changed or additionally some or all extensions removed) > > > > at the same time, 15.5% (1965) are intolerant to an "Xmas tree" Client > > Hello (one that includes many ciphers, few TLSv1.3 key shares, etc. > > bringing its size to something like 2800 bytes) > > Wonder how big part of the difference is due to steps (eg. 1024 and > 2048 bytes) in between and how much is due to the extra extensions or > cihpers. > > > 49% (6240) are intolerant to a Client Hello with no extensions but > > big number of ciphers that bring its size to 16388 bytes) > > 91.5% (11539) are intolerant to a Client Hello with no extensions > > but a number of ciphers that bring it well above single record layer limit > > (16.5KiB) > > Wonder how much of that is again size thresholds (in Ciphersuites and > in total ClientHello size) and how much is fragmenting the Client > Hello to multiple fragments...
yes, that's something I'd like to figure out too, but I was thinking of using a bisect approach to do it, so it will be more complex to do => I won't do this for this month's scan patches welcome, though :) -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
