Servers can still get an A even if they can't handshake with most browsers

[Pascal666]

Handshake Simulation results do not appear to affect a server's Overall Rating.

[ArchangeGabriel]

Yes, and I think this is partially right since getting maximum scores means you have to break support for most browsers. It’s even worse if you consider all NIST curves to be backdoored and choose to support only 25519 and/or 448.

[Pascal666]

Handshaking with older browsers probably shouldn't matter, but IMHO a server that cannot handshake with the current versions of Chrome, Firefox, and Android should not be given an A. Perhaps the loss of a grade for each major browser whose current version the server cannot handshake with?

[ArchangeGabriel]

OK, then in this direction you’re likely already penalized for this: latest version of Chrome/Firefox/Android supports secure crypto, if you do not support them this very likely mean that you only support obsolete crytpo. Or do you have other ideas/example in mind? Especially a site that effectively scores an A but does not handshake with either Android, Chrome or Firefox in their latest version?

[Pascal666]

Example of a severely broken server receiving an A:

[ArchangeGabriel]

Hum. I see, Firefox/Chrome/Android do not support AES CBC with SHA-2, only SHA-1 (not sure why though). Well I would be in favour of moving SHA-1 suites support to a lower grade. But I’m not running SSLLabs.

Looking a bit around I found this: https://community.qualys.com/thread/12415. So I guess this is expected as a valid behaviour.

Lack of support in browsers is strange especially in the light of the Modern section in https://wiki.mozilla.org/Security/Server_Side_TLS.

[ivanr]

As you've correctly pointed out, interoperability is not taken into account at the moment. I will consider it for the next grading update. Thanks!