TL;DR
Finding up-to-date TLS support statistics for web servers and browsers requires checking several sources, as no single place has everything. This guide shows you where to look and how to interpret the data.
Understanding the Problem
TLS (Transport Layer Security) is essential for secure communication on the internet. Knowing which versions of TLS are supported by web servers and browsers helps assess overall cyber security posture, identify potential vulnerabilities, and plan upgrades. Older TLS versions (like 1.0 & 1.1) are considered insecure.
Solution: Gathering Statistics
- Web Server TLS Support
- SSL Labs SSL Server Test: This is your first stop. It provides a detailed analysis of a specific server’s TLS configuration, including supported protocols and ciphers.
https://www.ssllabs.com/ssltest/It gives you a grade (A+ being best) and lists the supported versions.
- Mozilla SSL Configuration Generator: While primarily for generating configuration files, it also shows current recommended TLS settings.
https://ssl-config-generator.mozilla.org/ - KeyCDN’s HTTPS Statistics: KeyCDN regularly publishes statistics on the prevalence of different TLS versions across millions of websites.
https://keycdn.com/https-statisticsThis gives a broad overview, but isn’t server specific.
- crt.sh Search: You can search for certificates issued to domains and see which TLS versions are likely supported.
https://crt.sh/Enter a domain name to find its certificate details.
- Browser TLS Support
- Can I Use…: This website provides compatibility tables for web technologies, including TLS features.
https://caniuse.com/?search=tlsIt shows browser support for different TLS versions and extensions. Filter by browser version to get precise data.
- Browser Release Notes: Check the official release notes of major browsers (Chrome, Firefox, Safari, Edge) for details on TLS support changes in each new version.
- Chrome: Chrome Releases
- Firefox: Firefox Releases
- Interpreting the Data
- Focus on TLS 1.3: This is the latest and most secure version. Aim for full support across both servers and browsers.
- Disable TLS 1.0 & 1.1: These are outdated and vulnerable. Remove them from your server configuration.
- Check Cipher Suites: Ensure you’re using strong cipher suites (e.g., those with AES-GCM). SSL Labs will flag weak ciphers.
- Regular Monitoring: TLS support evolves. Regularly re-test your servers and stay informed about browser updates.
Tools for Automated Testing
For larger deployments, consider using automated tools:
- TestSSL.sh: A command-line tool to test TLS configurations.
./testssl.sh --version example.com - Nmap with SSL Scripts: Nmap can scan for TLS vulnerabilities and supported versions.
nmap -p 443 --script ssl-enum-ciphers example.com