7 February 2017, 11:16

Last month, SSL Labs has changed their gradings. The Hiawatha website score changed from A+ to A. According to the grading guide, an A+ is give to servers with 'good configuration, no warnings, and HTTP Strict Transport Security support with a max-age of at least 6 months'. When I removed the support for TLS v1.1, the A+ was rewarded again.

Since all browsers have TLS v1.2 support and the Network Working Group is working on TLS v1.3, it's time to let go of TLS v1.1 and earlier versions. The next version of Hiawatha will by default only accept TLS v1.2. Of course, that can be changed via the MinTLSversion option.

It turned out that mbed TLS contains a bug. There is a patch available, but it's not finished yet. It works fine at my server, though. The default value of the MinTLSversion for the next Hiawatha release will remain at TLSv1.1.

Joe Schmoe
10 February 2017, 18:36
Interesting. I still get an A+ using TLSv1.0 and TLSv1.1.
Hugo Leisink
10 February 2017, 18:50
What is the URL of your website? I'd like to see what SSL labs says about your website.
Hugo Leisink
10 February 2017, 19:24
I think I found what causes the A score. It seems that SSL Labs says my webserver no longer supports TLS_FALLBACK_SCSV. I'll try to find out what's going one.
David Oliver
22 February 2017, 22:30
Hi Hugo. It seems like I'll need to allow for someone using a .NET that only supports TLS 1.1, so if the option to use TLS 1.1 can remain that would indeed be helpful.
Hugo Leisink
23 February 2017, 15:13
Support for TLS v.1.1 and even TLS v1.0 will remain. There appeared to be a bug in mbed TLS that caused SCSV issues. Nothing changed in SSL Labs with regards to SCSV, so there's no need to increase the default value of the MinTLSversion option.