Normally I don't use Internet Explorer at all. I use it only in design time for interface tests (development machine and with unencrypted http). Every week I run the SSL Labs server test which says IE11 is able to access my sites.
Today I discovered an issue with one of my 3rd party services. Some special function is not working with Chrome or Firefox so I launched IE11 on my Windows 7 machine. And IE11 shows me a builtin error page witch basically only says "the page could not be shown". And the typical dummy bla bla like check the DNS and so on. There was absolutely no sign of an encryption related issue on the entire error page (like normal browser would do).
Back a couple of month there was this schannel issue which prevents TLS1.2 enabled IEs to access HTTPS sites. From that point in time my "WTF checklist for IE" contains "disable TLS1.2" as a checkpoint. And what should I say… disabling TLS1.2 within IE worked and my site is available again. But I can't do this on my visitors browsers.
Now to the real questions: Why Why does Internet Explorer 11 is unable to connect to my HTTPS site when TLS 1.2 is enabled within IE? And how to fix it on server side? SSL Labs is telling that everything is fine on my site.
Imporant Edit: It seems that IE11 can handle only the non-prefix domain and not the prefixed domains when TLS1.2 is enabled. domain without prefix (www) works while domain including prefix (www) won't work.
On the server side I'm using debian/7 nginx/1.7.8 openssl/1.0.1e
Available ciphers are: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:-DES:!RC4:!MD5:!PSK:!aECDH:EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Best Answer
Do you also have SSL 2.0 enabled?
According to http://support.microsoft.com/en-us/kb/2851628 "SSL 2.0 and TLS 1.2 are not compatible with each other in Windows 7 and later operating systems. To use client-side certificates to establish an HTTPS connection over TLS 1.2, you must disable SSL 2.0".