We had an A+ but was downgraded. I corrected the new issues found and used IIS Crypto to verify best practice settings. After making changes we are only at an A. The only two indicators the SSL Labs gives me are below.
- Protocol or cipher suite mismatch for IE 6 / XP. Which I do not think is part of the lower score, but I guess could be.
- Downgrade attack prevention No, TLS_FALLBACK_SCSV not supported. Which does seem to be an issue for the SSL Labs test.
We are running IIS 7.5 which from my research says is not affected by this downgrade attack and not to worry about it. But from what I understand is if the server supports multiple versions of TLS you must support TLS_FALLBACK_SCSV to get back to an A+.
Is this a problem with the tool not accounting for the use of Windows and IIS or should I be making a change? See attached.