According to Qualys SSL Labs, IE 11 on on Windows 7 and 8.1 only works with max TLS 1.2 and only supports the following 4 secure forward secrecy ciphers: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Source: https://dev.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%207&key=143
When I run nmap, those ciphers don't show up (SSL Labs reports the same): $ nmap --script ssl-enum-ciphers -p 8443 myDomain.com Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-15 17:43 EDT Nmap scan report for myDomain.com (127.0.0.1) Host is up (0.000056s latency). rDNS record for 127.0.0.1: localhost PORT STATE SERVICE 8443/tcp open https-alt | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A | compressors: | NULL | cipher preference: server |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds Jetty lists those ciphers as enabled: | += SslConnectionFactory@6dbb137d{SSL->alpn} - STARTED | | += Server@5f058f00[provider=Conscrypt,keyStore=file:///home/folder/dev/etc/keystore,trustStore=null] - STARTED | | +> trustAll=false | | +> Protocol Selections | | | +> Enabled size=4 | | | | +> TLSv1 | | | | +> TLSv1.1 | | | | +> TLSv1.2 | | | | +> TLSv1.3 | | | +> Disabled size=2 | | | +> SSLv2Hello - ConfigExcluded:'SSLv2Hello' JVM:disabled | | | +> SSLv3 - ConfigExcluded:'SSLv3' JVM:disabled | | +> Cipher Suite Selections | | +> Enabled size=27 | | | +> TLS_AES_128_GCM_SHA256 | | | +> TLS_AES_256_GCM_SHA384 | | | +> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | | | +> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | | | +> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | | | +> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 | | | +> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | | | +> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | | | +> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | | | +> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | | | +> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | | | +> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | | | +> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | | | +> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | | | +> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | | | +> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | | | +> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | | | +> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | | | +> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | | | +> TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | | | +> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | | | +> TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | | | +> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | | | +> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | | | +> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | | | +> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | | | +> TLS_EMPTY_RENEGOTIATION_INFO_SCSV | | +> Disabled size=18 ... I'm using: Jetty version 9.4.21.v20190926 Java: AdoptOpenJDK OpenJDK 64-Bit Server VM 11.0.4 OS: Linux amd64 4.15.0-65-generic Why aren't they offered with tls 1.2? Can I fix this with configuration? -- Glen K. Peterson (828) 393-0081
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
