Yes, whomever is providing that web server to you.
4 Likes
I don’t have right now any old device with me, soon I will try and let you know. On my IPhone XS Max and Windows 10 laptop I have 
lockpad. Thank you soo much 
Problem is only old mobile phones. Old people still using old phones. I sent one page to one very important professor emeritus, he is 90 years old, and he told me that he can’t open my website 
on his mobile, getting notifications that website is “not secure”, atm cards etc… its very bad for reputation. Than I checked on Samsung A8 and J5 and I found that its really not working
1 Like
@sasamilivojev I still see that you are sending out two different cert chains. One from Let's Encrypt. The other is from Comodo that expired almost 2 years ago and is even for a different domain name (orion.rs). You should remove the Comodo cert.
Even after removing that there is bad news. IIS will, by default, send the "short chain" for Let's Encrypt certificates ending in ISRG Root X1. This is known to be incompatible with Android devices before v7.1.1 which need the "long chain" ending in DST Root CA X3.
The two best options for IIS needing to support old Android are these:
- (Easiest) Switch to a different ACME CA that provides certs still compatible with the Android version you're targeting (maybe ZeroSSL)
- (Hacky/Unsupported) Tweak the Windows cert stores in such a way that it forces the OS to pick the long chain. (Guide)
These options come from an ACME developer who wrote about this here. He describes other options but they are more complicated.
5 Likes
Thank you. I sent this to domain/ hosting provider. I hope they will do something
2 Likes
Dear Sasha,
Your site is working properly and is available on the Internet. As we have already stated, unfortunately for security and functional reasons it is not possible to reduce the TLS value to 1 at the level of the shared hosting server because that version is already 3 years out of date and this would significantly jeopardize the operation of the server itself and all users on it.
If a certain user (on any of his devices) anywhere in the world has a problem in the browser, he can reduce the TLS value in the browser he uses at his own risk and thus regulate the warning for TLS, but the change itself at the level of our server is not possible due to for the above reasons.
If you want, you can consider switching to a VPS server that can be configured according to your needs.
You can find more information about our VPS server offer at the link: Cloud serveri - DataKing Cloud and you can certainly contact colleagues from hosting sales for more information by email hosting.prodaja@oriontelekom.rs or by phone 011/4 100 100 option 5 then sub-option 1.
Best regards,
Hosting service maintenance engineer
Orion Telecom
www.oriontelekom.rs
Tel: +381 11 4 100 100, option 5, then option 2
Fax: +381 11 4 100 033
Ticket details
Ticket ID: NQX-250-88889
Department: Hosting
Type: Claim
Status: Closed
Priority: Very low
I tried your site on an old Android device this morning. I got an error about a faulty certificate but was able to proceed if I clicked on the advanced option to ignore the error. This is not normally recommended but you know your site is safe so your professor could try this until you get a permanent solution.
You mentioned a Zero SSL cert. If you can replace the Let's Encrypt cert with that it should help. As I described in my prior post. But, the wrong cert for orion.rs should be removed too.
The TLS options should be improved but they are not stopping older Android from connecting. You actually have too many TLS / SSL protocols - not too few. The email you got from your hosting service was wrong. You could refer them to the SSL Labs test result if you want to pursue that.
3 Likes
Not true, it is very insecure (improper).
The "applied" TLS value is "*" - even SSLv3 is currently enabled!
Do they run any "tests" against their servers?
The system is already in great jeopardy!
I would consider switch to another HSP.
[they seem to be very clueless]
5 Likes
What i can do If they don’t want to help me, they don’t care
What i can do? Nothing 
Ask them for full control of your http/https web server.
And if they won't do that switch hosting provider, here is Netcraft's Most Reliable Hosting Company Sites in June 2022
2 Likes
OR
Switch to a better Hosting Service Provider (HSP).
3 Likes
But at least the is the "Latest Version!", is say so right on the box. Any they wouldn't lie about a thing like that. 
1 Like
I think I will stop paying them hosting! They don’t deserve. Only domain. Why to pay hosting if Blogger giving for free, and many other platforms. Famous Blogger I have connected to subdomain b.sasamilivojev.com
Free Teletype I have connected for FREE Russian domain миливоев.я.рус , and another Tumblr to domain сашамиливоев.мир.рус and they don’t have problems with certificates 
3 Likes
I think I will stop paying them hosting! They don’t deserve. Only domain. Why to pay hosting if Blogger giving for free, and many other platforms. Famous Blogger I have connected to subdomain b.sasamilivojev.com
Free Teletype I have connected for FREE Russian domain миливоев.я.рус , and another Tumblr to domain сашамиливоев.мир.рус and they don’t have problems with certificates
1 Like
What they need to do? To add also tls v.1.3 ?
Remove SSL 3, TLS v1.0, TLS v1.1
adding TLS v1.3 would be very nice.
2 Likes
./testssl.sh https://www.sasamilivojev.com/
###########################################################
testssl.sh 3.1dev from https://testssl.sh/dev/
(88e80d2 2022-07-02 22:13:06)
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "LibreSSL 3.5.2" [~72 ciphers]
on e6430-i5:/usr/bin/openssl
(built: "date not available", platform: "information not available")
Start 2022-07-20 17:30:17 -->> 77.105.36.83:443 (www.sasamilivojev.com) <<--
rDNS (77.105.36.83): plesk13.orion.rs.
Service detected: HTTP
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
**SSLv3 offered (NOT ok)**
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 not offered and downgraded to a weaker protocol
NPN/SPDY Local problem: /usr/bin/openssl doesn't support NPN/SPDY
ALPN/HTTP2 not offered
Testing cipher categories
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
**LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) offered (NOT ok)**
Triple DES Ciphers / IDEA offered
Obsoleted CBC ciphers (AES, ARIA etc.) offered
Strong encryption (AEAD ciphers) with no FS offered (OK)
Forward Secrecy strong encryption (AEAD ciphers) offered (OK)
2 Likes
I sent them screenshot - this conversation, advice, and link, to follow, to learn! I don’t know they will do something or not, but not having lockpad on older mobile phones is very very bad. Millions and millions of people still using older Android phones, and they are getting notification that their informations can be stolen and passwords and atm cards. Shame!
2 Likes