Qualys SSL Labs scan is incorrectly capping TLS 1.3 servers to an "A" rating due to testing an obsolete functionality. #949
Comments
avparuch
changed the title
|
@naumanshah03, please take a look when feasible. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Until recently, our TLS server supported only TLS 1.2 and had an A+ rating on Qualys SSL Labs scans. After enabling TLS 1.3, in addition to TLS 1.2, the rating for the TLS server has been downgraded from A+ to A.
The reason for that is as shown below:
Previously, when only TLS 1.2 was enabled, the Qualys SSL Labs scan used to give the TLS server an A+ rating and add the following under the "Protocol details" section:
Now, when both TLS 1.2 and TLS 1.3 are enabled, the Qualys SSL Labs scan gives the TLS server an A rating and adds the following under the "Protocol details" section:
More info: https://datatracker.ietf.org/doc/rfc7507/
Now, ironically, after enabling TLS 1.3 in addition to TLS 1.2, the server is capped to an A grade, instead of the previous rating of A+, despite enabling a stronger TLS protocol. Apparently, this is due to a perceived lack of downgrade prevention on the server for TLS1.3
I'm writing this issue to inform you that testing TLS_FALLBACK_SCSV on TLS 1.3 is incorrect as TLS 1.3 has deprecated support for TLS_FALLBACK_SCSV. The Qualys SSLLabs scan should account for this and fix the rating appropriately. Please see rationale below:
Section 1.1 of RFC 8996 says:
The text was updated successfully, but these errors were encountered: