SSL report at Qualys shows two messages in summary
- "This server supports TLS 1.0 and TLS 1.1. Grade capped to B"
- "This site works only in browsers with SNI support."
Is there a need to turn off SNI support at webserver?
Secondly, while browsing on Andriod ver. 7.0 it is showing following information in error details.
"The identity of the website has not been verified.
"Server certificate is not trusted"
SSL certificate is up to date. Is certificate not trusted because IIS building own chain?
It also shows following affirmative messages
- "Your connection to site is encrypted using a modern cipher suite."
- "The connection uses TLS 1.2"
- "The connection is encrypted and authenticated using AES_256_GCM and uses ECDHE_RSA as the key exchanges mechanism"
Thirdly, is DST Root CA X3 expired globally on Sep 30, 2021 for all servers and browsers?
If answer is yes then there would be some updates/fixes available for Windows IIS to accept long chain after expiry. Any comments on this?