1

I'm trying to find or compile a list of the last versions of the most common browsers (i.e. IE, Firefox, Chrome, Safari, Opera) which supported only SSLv2.

Please note, I have seen this question, but I also found a Microsoft Answer which states otherwise, so I'm not considering it as reliables

The list so far:

  • Internet Explorer: IE6 (no service packs)
    ( IE7 uses SSLv3 by default, updated IE6 will also use SSLv3 [source] )
Community
  • 1
  • 1
Gurzo
  • 707
  • 1
  • 8
  • 20

2 Answers2

3

The Microsoft Answer you link to doesn't contradict the answer to the question you link to. It just says that IE7 was the first one to use SSLv3 by default. Whether IE7 is the first version of IE to do this by default doesn't really matter.

Your question is specifically about which browser did not support anything above SSLv2 at all.

This Apache Httpd/mod_ssl FAQ suggests that IE 5.x already had support for SSLv3 (albeit broken when used against some versions of OpenSSL):

The next problem is that 56bit export versions of MSIE 5.x browsers have a broken SSLv3 implementation, which interacts badly with OpenSSL versions greater than 0.9.4.

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • From the MS Answer "But Internet Explorer 6 without any service packs **cannot use** this version of the protocol.", while the linked SO question says "SSLv3 support was added in [...] Internet Explorer 3.x" (my emphasis) To me, it still looks like anything below a patched IE6 can't use SSLv3. – Gurzo Apr 11 '12 at 10:14
  • 1
    Considering the degree of precision required by this question, I'm not sure I'd give too much credit to this statement in a question answered by a support person to a question 10 years after the events (not that you should trust SO answers either...). A quick search shows a number of mentions of SSLv3 with versions of IE before 6 (although they mention problems). There is even a screenshot of the options in MSIE4 [here](http://users.hal-pc.org/explorer/ie40config008.html) suggesting support for SSLv3. (Not sure what the point of your question is anyway: you could untick SSLv3/TLS.) – Bruno Apr 11 '12 at 10:57
  • First of all, thanks for providing more info! I've been asked this question by a client who would like to turn off SSLv2 on his web apps, but first wishes to know which browsers won't be compatible. – Gurzo Apr 11 '12 at 11:12
  • Any browser that's not recent enough to support SSLv3 at all will also be unable to support strong enough cipher suites (look into the history of export cipher suites) and will have plenty of unpatched security bugs (in which case SSLv2/3 is only one of many concerns). – Bruno Apr 11 '12 at 11:34
  • 1
    @Gurzo It's worth noting that Sun Java has never supported SSLv2 at all, so any web app deployed with Sun Java doesn't support it either. – user207421 Apr 11 '12 at 18:05
  • @Bruno: Yep, most version of Netscape 1.x had a weak random number generator, which is a serious problem. – Yuhong Bao Nov 14 '14 at 02:38
0

SSLv3 was introduced with Netscape 3 and also is in IE3 too.

Yuhong Bao
  • 3,891
  • 1
  • 19
  • 20