TLS 1.2 not supported - SSLlabs downgraded from A to B

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.surfgate.be

I ran this command: Certify The Web + DigiCertUtil

It produced this output: This server supports TLS 1.0 and TLS 1.1. Grade capped to B

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows Server 2016

My hosting provider, if applicable, is: Own servers

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Hi @Attacus

change that. That’s not a certificate relevant question, that’s only a not so good configuration of your webserver.

1 Like

As Jurgen said this is all web server configuration, and has nothing to do with the Certificate. You need to configure IIS to use TLSv1.2, especially with Google Chrome’s new updates coming out with showing a site not secure if it does not support the TLSv1.2 protocol.

1 Like

The site uses Tls.1.2 - https://check-your-website.server-daten.de/?q=surfgate.be#connections

So Chrome is happy.

But Tls.1.0 and 1.1 are activated. The error message is from Ssllabs. Started 2020-01-31 -> Tls.1.1 and 1.0 active -> Grade B

Hi. Do changes also have to be made in letsencrypt/options-ssl-apache.conf ?? I recently sorted out some Apache servers and had to amend the following two files in order to pass:

  • /etc/httpd/conf.d/ssl.conf
  • /etc/letsencrypt/options-ssl-apache.conf

:+1:

1 Like

Well this is IIS so it’s a bit different.

@Juergen Ah. I didn’t look deep enough. Assumed it meant TLSv1.2 not being used.

But yeah, unless you have to absolutely support older browsers, you SHOULD disable TLSv1.0 & 1.1.

1 Like

Thanks for your great support!

I activated in the register (added) the TLS 1.2 protocol and disabled 1.0 and 1.1.
However, It remains activated even after several reboots (in the middle of the night) and didn’t find a proper solution to disable the older TLS versions or to force to use only TLS 1.2 on IIS 10.

Windows server 2016 (also 2019) doesn’t support TLS 1.3 (yet).

Hi @Attacus

how?

Use IISCrypto to disable Tls.1.0 and 1.1.

That works, “check your website” doesn’t use Tls.1.0 / 1.1, it’s Windows 2019.

I FOUND IT!!

A+ on SSLlabs!

Domain: surfgate.be
Used Powershell and ISSCrypto!

1 Like

Nice! More than likely won’t see TLSv1.3 support in Windows for a while. Not actually supported in Linux OpenSSL under 1.1.x, meaning not CentOS 7 or Ubuntu 18.04.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.