For those that don't know what Suche.org is, it is a website that has a perfect A+ rating on SSL Labs in every category: (Suche.org SSL Labs result). I became aware of this website when I opened another ticket about ECC certificates not working in Chrome, and one of the responders used the site as an example.
What confuses me is that although the Protocol Support
section of the report says that the website only uses TLSv1.2…
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 No
SSL 2 No
That's clearly not the case since under the Handshake Simulation
section, it displays that some of the simulated older clients are using TLSv1.0 to connect…
Android 4.0.4 EC 384 (SHA256) TLS 1.0 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDH secp521r1 FS
Android 4.1.1 EC 384 (SHA256) TLS 1.0 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDH secp521r1 FS
Android 4.2.2 EC 384 (SHA256) TLS 1.0 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDH secp521r1 FS
Android 4.3 EC 384 (SHA256) TLS 1.0 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDH secp521r1 FS
Android 4.4.2 EC 384 (SHA256) TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDH secp521r1 FS
This is a bit frustrating because if I disable TLSv1.0 on my test website like so…
# Apache example
SSLProtocol all -SSLv3 -SSLv2 -TLSv1
Running the SSL Labs scan on my test website yields the following for some of the older clients:
Android 4.0.4 Server closed connection
Android 4.1.1 Server closed connection
Android 4.2.2 Server closed connection
Android 4.3 Server closed connection
Android 4.4.2 EC 384 (SHA256) TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
How is it possible to simultaneously allow only TLSv1.2 connections, yet support older clients as well?
Best Answer
I'm quite sure that they're checking the client capabilities and act accordingly, as explained in the thread linked to in the answer of @Jeff.
To get an idea how this could look like in detail, have a look at this. It shows an implementation made with
HAProxy
to serve different clients different certs, depending on their capabilities. I've did a full copy / paste, to prevent link rot, and because I think this question could be of interest in the future: