IE11 on Win7 handshake_failure

Ezyweb-uk · October 2, 2020, 11:46am

My domain is: jamesgilbertandson.com

I ran this command: https://www.jamesgilbertandson.com

It produced this output: This page can't be displayed

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): CLOUDLINUX 7.8 kvm

My hosting provider, if applicable, is: UK Web Solutions Direct

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): WHM/Cpanel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): IE11.0.9600 on Win7

SSLLabs report confirms a handshake_failure for IE11 in Win 7&8 and Safari 6-8, see https://www.ssllabs.com/ssltest/analyze.html?d=www.jamesgilbertandson.com&hideResults=on

However similar sites on another server load fine with IE11 on Win7 using Cpanel CA with cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

JuergenAuer · October 2, 2020, 11:53am

Hi @Ezyweb-uk

that's expected if you have disabled Tls.1.0 and 1.1.

Win7 has a Service Pack that has added Tls.1.2. So a lot of users don't have that problem.

But Ssllabs uses the "raw Win7", so no Tls.1.0 / 1.1 -> no connection.

Ezyweb-uk · October 2, 2020, 12:16pm

TLS 1.0, 1.1, and 1.2 are enabled in the IE11 Advanced Options, and the ssllabs client test indicates TLS 1.2 (and 1.1 and 1.0) as supported.

The same IE11 on Win7 handshakes ok with a Cpanel CA on another server.

JuergenAuer · October 2, 2020, 12:34pm

Ah, thanks, checked, good to know.

But your setup can't work:

That's

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp521r1 (eq. 15360 bits RSA) FS	128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp521r1 (eq. 15360 bits RSA) FS	256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) ECDH secp521r1 (eq. 15360 bits RSA) FS	256

too limited. Windows doesn't support GCM with RSA and no Chacha20. So there is no matching Cipher suite.

Yes, you have to use the deprecated CBC, so you will have a Grade B.

Ezyweb-uk · October 2, 2020, 1:22pm

Thank you for the info above. Is it possible to support IE11 on Win7 or Win8.1 and still achieve Grade A?

Looks like the IE11 client supports the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher.

JuergenAuer · October 2, 2020, 1:31pm

You have to switch to an EC-certificate.

Then you can use that cipher.

That was an own problem. "check-your-website" now runs on Windows 2019.

But Windows 2012 and the switch SslLabs CBC -> Grade B -> server-daten.de with a Grade B.

Changed to an EC certificate -> Grade A. Now (with Windows 2019 and disabled Tls.1.0 / 1.1) Grade A+.

But you have to use a client that allows creating EC certificates.

Ezyweb-uk · October 2, 2020, 2:47pm

I read here that "ECDSA is still unsupported in Certbot with automated renewal and so it’s still preferable to use a different client if you want automated renewal". However I see there are instructions here on how to setup ECDSA and RSA certificates on the same server with LetsEncrypt CA and openssl.

system · November 1, 2020, 2:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.