search

ssllabs / ssllabs-scan

A command-line reference-implementation client for SSL Labs APIs, designed for automated and/or bulk testing.
https://www.ssllabs.com/projects/ssllabs-apis/
Apache License 2.0
1.7k stars 240 forks source link

Bug: TLS 1.2 No marked orange #826

Open annainfo opened 3 years ago

annainfo commented 3 years ago

Disabling TLS 1.2 doesn't make a server supporting only TLS 1.2 and TLS 1.3 less secure.

MartinThoma commented 3 years ago

This sounds similar to https://github.com/ssllabs/ssllabs-scan/issues/600

Could you add a couple more words? What did you observe? What did you expect?

dreamwraith commented 3 years ago

I could add thousands of words - and yes its probably related to #600.

Server grading is being downgraded because of lack of TLS 1.2 support.

When my server ONLY supports TLS 1.3 out of a desire to not support less secure protocols, it is being downgraded. If a client with only TLS 1.2 or lower support tries to connect it simply cannot - that is not less secure, it simply reduces the audience that can reach my site, but yet the ssl labs grading considers it less secure.

That this has been an issue for so long is still super annoying.

annainfo commented 3 years ago

This sounds similar to #600

Could you add a couple more words?

Yes.

What did you observe?

Noted in topic label: "TLS 1.2 No marked orange"

What did you expect?

TLS 1.2 No not marked orange