From: Thomas Springer (tuevsec@gmx.net)
Date: Fri Sep 30 2005 - 03:36:19 EDT
Michael Sierchio wrote:
> I have no idea where you come by your ideas, but SSLv3 is much
> more widely deployed on servers than TLSv1.0.
I don't know how you come by your idea - I do quite a lot of checks and
I've seen literally hundreds of TLS1.0 but only two or three SSLV3.
Check it out with your favourite SSL-Client, be it OpennSSL, GnuTLS or
something other:
R:\>openssl s_client -connect mail.google.com:443
CONNECTED(00000003)
.... [cert-infos deleted]
--- SSL handshake has read 1765 bytes and written 340 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 7DCF431FC3548D1063E1BC71D43708E74ED9ACC05AC46E04610316AF495A09B9 Try any other SSL-enabled Server you know - I had a hard time finding any SSL-Servers that won't offer TLS1.0 first. Or did I simply miss something? thomas ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:01 EDT