Forwarded to devs SSL It! TLS versions and ciphers by Mozilla v5 'intermediate' should support IE11 on Win7 or 8 - causes 'handshake_failure'

[pleskuser67553]

Username: pleskuser67553

TITLE

SSL It! TLS versions and ciphers by Mozilla v5 'intermediate' should support IE11 on Win7 or 8 - causes 'handshake_failure'

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian, 18.0.33, CentOS Linux 7.9, IONOS VPS

PROBLEM DESCRIPTION

After resynchronising "TLS versions and ciphers by Mozilla" in SSL It! v1.7.7 it finds version 5.0. Subsequently, SSL Labs reports "IE 11 / Win 7 R Server sent fatal alert: handshake_failure" for my websites. I have replicated this on a several servers with the same config, doing before and after SSL Labs tests, to reach this conclusion.

I'm using the "Intermediate (recommended)" preset in all cases which says it supports IE 11 / Win 7 as the oldest browser. The websites on the resynced servers do work on IE 11 / Win 10, however. If I disable "TLS versions and ciphers by Mozilla" SSL Labs continues to report "IE 11 / Win 7 R Server sent fatal alert: handshake_failure" for my websites. I can't role back to version 4.0 in the UI, but if I switch to the "Old" preset, the IE 11 / Win 7 handshake works but I get a grade B SSL Labs report because TLS 1.0 and 1.1 is supported According to a successful handshake, IE 11 / Win 7 will work with TLS 1.2, so I suspect an unintended side effect is happening with the Intermediate preset on version 5.0..?

I had another server on Plesk Obsidian 18.0.30, SSL It! 1.6.0 on which I had not done a resync (currently version 4.0) and SSL Labs reports a good handshake "IE 11 / Win 7 R RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS", graded B because TLS 1.0 and 1.1 is supported.

STEPS TO REPRODUCE

1. In SSL It! > "TLS versions and ciphers by Mozilla", enable if not already, check it is on preset version 5.0 or click "Sync now" to obtain it
2. Apply preset "Intermediate (recommended)" (Oldest compatible clients: Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, Safari 9.)
3. Run an SSL Labs test on any website on the server.
4. Optionally, use Browser Stack to double-check a website on IE 11 on Win 7
5. Optionally, disable SSL It! > "TLS versions and ciphers by Mozilla", run step 3 and 4 again

ACTUAL RESULT

• Grade A+ award in SSL Labs test, TLS 1.2+
• From SSL Labs in the browser tests section: IE 11 / Win 7, R, Server sent fatal alert: handshake_failure
• In Browser Stack: IE 11 / Win 7 causes a browser/security error

EXPECTED RESULT

• Grade A+ award in SSL Labs test, TLS 1.2+
• In SSL Labs in the browser tests section: IE 11 / Win 7, R, RSA 2048 (SHA256), TLS 1.2, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, ECDH secp256r1, FS (because this output is the actual result when testing with the "Old" preset for v5.0)
• In Browser Stack: IE 11 / Win 7 loads website without error

ANY ADDITIONAL INFORMATION

Temporary workaround is to apply the "Old" preset because it is not possible to roll back to version 4.0 in the UI.

caniuse.com - Support for TLS 1.2

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[IgorG]

From developer:

I reproduced the issue on CentOs 7 and Ubuntu 18.04 if the domain is secured with a certificate with "key-algorithm" = "RSA" (default value).
I enabled 5.0 "Intermediate" level and got "Server sent fatal alert: handshake_failure" for Win7\IE11. At the same time, there are no errors if the domain is secured with a certificate with "key-algorithm" = "ECDSA"
Also, please take a look at IE11 on Win7 handshake_failure

 

[pleskuser67553]

Thanks, @IgorG.

To quote JuergenAuer on that thread, "you have to use a client that allows creating EC certificates" - That suggests the Plesk / SSL It! UI does not allow creating EC certs. Any plans to support this? Or is it already possible to 'secure with a certificate with "key-algorithm" = "ECDSA"' in SSL It!?

 

[IgorG]

It is not a bug of SSLIt. It depends on the certificate type on a domain.

IE11 on Win7 handshake_failure

"Windows doesn't support GCM with RSA and no Chacha20. So there is no matching Cipher suite." But "IE11 client supports the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher". So, you have to switch to an EC-certificate.

Handshake is OK with IE11 / Win 7 when I use Letsencrypt ECDSA certificate.

 

[zip404]

test other ssl provider
can you use cloudflare ssl ?

 

[pleskuser67553]

Handshake is OK with IE11 / Win 7 when I use Letsencrypt ECDSA certificate.

Please could you explain how I can do this in Plesk, assuming it's possible without the 2018 docker solution mentioned in that thread (which appears to be out-of-date with certbot's feature set now). I cannot see anywhere in SSL It! to choose an EC cert from Let's Encrypt. Do I need to amend an ini file somewhere?

test other ssl provider
can you use cloudflare ssl ?

The only alternative offered to me in SSL It! is Sectigo but I'm unable to test a paid cert at this point.

 

[IgorG]

Do I need to amend an ini file somewhere?

Yes, it is an option

key-algorithm = ECDSA

in panel.ini file for LetsEncrypt: Plesk Let's Encrypt and support for ECDSA certificates

 

[pleskuser67553]

@IgorG Many thanks for your help. With TLS versions and ciphers by Mozilla set to v5.0 Intermediate, I have added that to panel.ini and reissued a cert using SSL It! with Let's Encrypt and SSL Labs returned A+ with:

IE 11 / Win 7  R        EC 256 (SHA256)       TLS 1.2     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS