From: Thomas Springer (tuevsec@gmx.net)
Date: Fri Sep 30 2005 - 03:36:19 EDT
Michael Sierchio wrote:
> I have no idea where you come by your ideas, but SSLv3 is much
> more widely deployed on servers than TLSv1.0.
I don't know how you come by your idea - I do quite a lot of checks and
I've seen literally hundreds of TLS1.0 but only two or three SSLV3.
Check it out with your favourite SSL-Client, be it OpennSSL, GnuTLS or
something other:
R:\>openssl s_client -connect mail.google.com:443
CONNECTED(00000003)
.... [cert-infos deleted]
---
SSL handshake has read 1765 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
7DCF431FC3548D1063E1BC71D43708E74ED9ACC05AC46E04610316AF495A09B9
Try any other SSL-enabled Server you know - I had a hard time finding
any SSL-Servers that won't offer TLS1.0 first.
Or did I simply miss something?
thomas
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:01 EDT