Resolved SSL It! Mozilla TLS ciphers v5.0 Intermediate causes handshake_failure for IE 11 / Win 7, despite supporting it

[pleskuser67553]

Hi,

On Plesk Obsidian 18.0.30, after resynchronising "TLS versions and ciphers by Mozilla" in SSL It! 1.6.0 it finds version 5.0, subsequently SSL Labs reports "IE 11 / Win 7 R Server sent fatal alert: handshake_failure" for my websites. I replicated this on a second server with the same config, doing before and after SSL Labs tests, to reach this conclusion. I'm using the "Intermediate (recommended)" preset in both cases which supports IE 11 / Win 7 as the oldest browser. The websites on the resynced servers do work on IE 11 / Win 10 however. If I disable "TLS versions and ciphers by Mozilla" SSL Labs continues to report "IE 11 / Win 7 R Server sent fatal alert: handshake_failure" for my websites. I can't role back to version 4.0 in the UI, but if I switch to the "Old" preset, the IE 11 / Win 7 handshake works but I get a grade B SSL Labs report because TLS 1.0 and 1.1 is supported. According to a successful handshake, IE 11 / Win 7 will work with TLS 1.2, so I suspect an unintended side effect is happening with the Intermediate preset on version 5.0..?

I have another server on Plesk Obsidian 18.0.30, SSL It! 1.6.0 on which I have not done a resync (currently version 4.0) and SSL Labs reports a good handshake "IE 11 / Win 7 R RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS", graded B because TLS 1.0 and 1.1 is supported.

 

[Bobbbb]

Excellent job troubleshooting and describing this issue. Did you ever find a resolution to this? I have experienced the same thing with version 5 in the SSL It extension.

 

[pleskuser67553]

Thanks. Not yet. I keep checking the changelog but a fix is not mentioned. I have not retested this since my first report. This forum feels like an 'unofficial' space for reporting serious issues because many reports appear to go unanswered, but I don't know where else to report it other than here.

 

[pleskuser67553]

This is still a problem on Plesk Obsidian v18.0.33, SSL It! v1.7.7. TLS versions and ciphers by Mozilla Version 5 suggests it should also support IE 11 on newer versions of Windows, since intermediate/oldest_clients lists "IE 11 on Windows 7", however there is also a SSL Labs handshake_failure on IE 11 / Win 8.1 too.

 

[IgorG]

This forum feels like an 'unofficial' space for reporting serious issues because many reports appear to go unanswered, but I don't know where else to report it other than here.

Important - PLEASE FOLLOW THIS INSTRUCTION IF YOU BELIEVE THAT FOUND A BUG!

Dear Pleskians, Please, click Submit Report button and use the template in this special forum subsection if you really believe you discovered a new bug and need to report it to the Plesk developers. It does allow us to handle and resolve your requests much more efficiently. Please be careful...

talk.plesk.com

 

[pleskuser67553]

@IgorG Thanks for bringing that thread to my attention. I will submit a report. I wondered if perhaps I'd missed that thread first time around, however I've just visited the forum home and clicked around and I cannot see that important thread - certainly there is no thread like that pinned in the Plesk Extensions category. Maybe it could be added as a permanent banner at the top of the home page?

 

[IgorG]

Maybe it could be added as a permanent banner at the top of the home page?

I did this once. As a result, I received a lot of invalid reports.

 

[pleskuser67553]

I can understand that

 

[pleskuser67553]

Done SSL It! TLS versions and ciphers by Mozilla v5 'intermediate' should support IE11 on Win7 or 8 - causes 'handshake_failure'

 

[pleskuser67553]

Resolved Forwarded to devs - SSL It! TLS versions and ciphers by Mozilla v5 'intermediate' should support IE11 on Win7 or 8 - causes 'handshake_failure'

TL;DR add this in panel.ini

[ext-letsencrypt]
key-algorithm = ECDSA