Dave Garrett

SSL3 only servers should autofail server test

Discussion created by Dave Garrett on Jul 25, 2014
Latest reply on Oct 15, 2014 by j-mailor

SSL is old and on its way out. TLS 1.0 is nearing universal support, or at least as close as it will get until SSL3 gets disabled in major browsers. Mozilla is currently considering doing so at the moment and it's likely other vendors have the thought in the back of their minds as well. Currently, the SSL server test caps SSL3 only servers to a 'B' grade. I would like to request that this sort of setup result in an automatic 'F' rating (or possibly 'E' if you only want a total failure for completely insecure setups).

 

A test case I noticed when checking a server for a bug reported on Mozilla's bug tracker:

https://www.ssllabs.com/ssltest/analyze.html?d=tmobile.ecustomersupport.com

https://dev.ssllabs.com/ssltest/analyze.html?d=tmobile.ecustomersupport.com

1042380 – ssl_error_no_cypher_overlap on https://tmobile.ecustomersupport.com

 

In the same vein, I think a server that only supports a maximum of TLS 1.0 should not be getting a 'B' rating anymore either. I think a 'C' rating would be more appropriate at this point. (a 'B' for TLS 1.1 sounds fine)

Outcomes