Server 2022 TLS 1.3 makes A+ go to A rating #853
Comments
|
Hi |
|
But TLS 1.2 and TLS 1.3 are secure so why the A and not A+ ? |
|
Microsoft is also not supporting downgrading as it is not vulnerable, can there be an OS check ? |
|
@RobTho TLS1.3 is not considerd in this document, Microsoft is also mentioning that the attack is not present on Windows server enviroments. "If a client sets ClientHello.client_version to its highest |
|
Not using TLS1.3 is not OK, the check needs to be adjusted. |
|
See also #815 |
From what I gather you are right, this is still not supported with Windows Server 2022. Still, it does seem backward to have TLS 1.2 result in A+ and TLS 1.3 then result in A. |
|
Microsoft has investigated the issue and mention that this is not a problem in Windows server and there fore not needed to build in the feature. Beacuse of this an A+ is a valid score. |
|
@Marcel-Balk Do you have a link confirming that "Microsoft has investigated the issue and mention that this is not a problem in Windows server"? I can't find any information on that. |
|
They reported it in a ticket to us pointing to this document: https://docs.microsoft.com/en-us/security/engineering/solving-tls1-problem What indeed in "he Current State of Microsoft's TLS 1.0 implementation" describes that they are following protocol, they also mention the only way to do a downgrade is to force on the server and client at the same time, so if you have TLS 1.2 and TLS 1.3 enabled its not a problem. |
Today we tested with Windows Server 2022 on a test enviroment and when TLS 1.3 is disabled ( TLS_AES_256_GCM_SHA384 / TLS_AES_256_GCM_SHA384 ) We are getting a status of A+ on the page https://shorturl.at/bevE9
When we enable TLS 1.3 the status is going to A what should not be happening.
Can this be fixed ?
The text was updated successfully, but these errors were encountered: