My domain is: jamesgilbertandson.com
I ran this command: https://www.jamesgilbertandson.com
It produced this output: This page can't be displayed
My web server is (include version): Apache 2
The operating system my web server runs on is (include version): CLOUDLINUX 7.8 kvm
My hosting provider, if applicable, is: UK Web Solutions Direct
I can login to a root shell on my machine (yes or no, or I don't know): no
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): WHM/Cpanel
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): IE11.0.9600 on Win7
SSLLabs report confirms a handshake_failure for IE11 in Win 7&8 and Safari 6-8, see https://www.ssllabs.com/ssltest/analyze.html?d=www.jamesgilbertandson.com&hideResults=on
However similar sites on another server load fine with IE11 on Win7 using Cpanel CA with cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Hi @Ezyweb-uk
that's expected if you have disabled Tls.1.0 and 1.1.
Win7 has a Service Pack that has added Tls.1.2. So a lot of users don't have that problem.
But Ssllabs uses the "raw Win7", so no Tls.1.0 / 1.1 -> no connection.
TLS 1.0, 1.1, and 1.2 are enabled in the IE11 Advanced Options, and the ssllabs client test indicates TLS 1.2 (and 1.1 and 1.0) as supported.
The same IE11 on Win7 handshakes ok with a Cpanel CA on another server.
Ah, thanks, checked, good to know.
But your setup can't work:
That's
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp521r1 (eq. 15360 bits RSA) FS
128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp521r1 (eq. 15360 bits RSA) FS
256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) ECDH secp521r1 (eq. 15360 bits RSA) FS
256
too limited. Windows doesn't support GCM with RSA and no Chacha20. So there is no matching Cipher suite.
Yes, you have to use the deprecated CBC, so you will have a Grade B.
1 Like
Thank you for the info above. Is it possible to support IE11 on Win7 or Win8.1 and still achieve Grade A?
Looks like the IE11 client supports the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher.
You have to switch to an EC-certificate.
Then you can use that cipher.
That was an own problem. "check-your-website" now runs on Windows 2019.
But Windows 2012 and the switch SslLabs CBC -> Grade B -> server-daten.de with a Grade B.
Changed to an EC certificate -> Grade A. Now (with Windows 2019 and disabled Tls.1.0 / 1.1) Grade A+.
But you have to use a client that allows creating EC certificates.
I read here that "ECDSA is still unsupported in Certbot with automated renewal and so it’s still preferable to use a different client if you want automated renewal". However I see there are instructions here on how to setup ECDSA and RSA certificates on the same server with LetsEncrypt CA and openssl.
system
November 1, 2020, 2:30pm
8
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.