SSL Labs Grade Change for TLS 1.0 and TLS 1.1 Protocols Update 1/31/2020: The grade change is now live on www.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade.
Update 1/16/2020: The grade change is now live on the development server at dev.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade on the development server. Deployment to production SSL Labs servers is planned for the very end of January. Update 10/11/19: The TLS 1.0/1.1 warning changes are now live on www.ssllabs.com. The grade change for supporting TLS 1.0/1.1 is changed from March 2020 to January 2020 as shown below in the “SSL Labs Grade Change” section below and as reflected in the summary messages in SSL Labs results. Update 11/30/18: Now live on ssllabs.com: In Configuration->Protocols section “TLS 1.1” text color will be changed to Orange by end of November 2018. TLS 1.0 and TLS 1.1 protocols will be removed from browsers at the beginning of 2020. As there are no fixes or patches that can adequately fix SSL or deprecated TLS, it is critically important that organizations upgrade to a secure alternative as soon as possible. Various Browser clients have provided approximate deadlines for disabling TLS 1.0 and TLS 1.1 protocol: Browser Name | | Date | Microsoft IE and Edge | | First half of 2020 | Mozilla Firefox | | March 2020 | Safari/Webkit | | March 2020 | Google Chrome | | January 2020 |
Best practices outlined in RFC-7525 give reasons why it is discouraged to use protocol TLS 1.0 and TLS 1.1. PCI-DSS recommends users to switch from protocol TLS 1.0 and adopt protocol TLS 1.2+. Following table shows for each browser the percentage of connections made to SSL/TLS servers using protocol TLS 1.0 and TLS 1.1: Browser/Client Name | | Percentage (%) – Both TLS 1.1 and TLS 1.0 | Microsoft IE and Edge | | 0.72% | Mozilla Firefox | | 1.2% | Safari/Webkit | | 0.36% | Google Chrome | | 0.5% | SSL Pulse November 2018 | | 5.84% |
SSL Labs Grade ChangeTo encourage users to migrate to protocol TLS 1.2+ and remove protocol TLS 1.1 and TLS 1.0 from servers, SSL Labs will lower the grade for SSL/TLS servers which use TLS 1.1 and TLS 1.0. TLS 1.0 Grade change date: - A warning will be displayed for downgrading to grade “B” by end of September 2019
- Grade will be changed to “B” by end of March 2020 January 2020
TLS 1.1 Grade change date: - In Configuration->Protocols section “TLS 1.1” text color will be changed to Orange by end of November 2018
- A warning will be displayed for downgrading to grade “B” by end of September 2019
- Grade will be changed to “B” by end of March 2020 January 2020
Existing Grades SampleServer Configuration | | Grade | TLS 1.2, TLS 1.1, TLS 1.0 + HSTS + No Warning + TLS_FALLBACK_SCSV | | A+ | TLS 1.2, TLS 1.1, TLS 1.0 + HSTS + No Warning + No support for TLS_FALLBACK_SCSV | | A | TLS 1.2, TLS 1.1, TLS 1.0 + HSTS + Warnings + No support for TLS_FALLBACK_SCSV | | A- |
Future Grades SampleServer Configuration | | Grade | TLS 1.2, TLS 1.1, TLS 1.0 + HSTS + No Warning + TLS_FALLBACK_SCSV | | B | TLS 1.2, TLS 1.1, TLS 1.0 + HSTS + No Warning + No support for TLS_FALLBACK_SCSV | | B | TLS 1.2, TLS 1.1, TLS 1.0 + HSTS + Warnings + No support for TLS_FALLBACK_SCSV | | B | TLS 1.2 + HSTS + No Warning + TLS_FALLBACK_SCSV | | A+ | TLS 1.2 + HSTS + No Warning + No support for TLS_FALLBACK_SCSV | | A | TLS 1.2 + HSTS + Warnings + No support for TLS_FALLBACK_SCSV | | A- |
References
SSL Labs 对 TLS 1.0 战 TLS 1.1 和谈的品级变动 2020 年 1 月 31 日更新:品级变动现已正在 www.ssllabs.com 长进止。撑持 TLS 1.0 或 TLS 1.1 的效劳器上限为 B 级。 2020 年 1 月 16 日更新:品级变动现已正在 dev.ssllabs.com 的开辟效劳器上见效。撑持 TLS 1.0 或 TLS 1.1 的效劳器正在开辟效劳器上的上限为 B 级。方案正在 1 月尾布置到消费 SSL Labs 效劳器。 2019 年 11 月 10 日更新:TLS 1.0/1.1 正告变动现已正在 www.ssllabs.com 上公布。撑持 TLS 1.0/1.1 的品级变动从 2020 年 3 月变动为 2020 年 1 月,以下里的“SSL 尝试室品级变动”部门所示,并反应正在 SSL 尝试室成果中的择要动静中。 2018 年 11 月 30 日更新:如今正在 ssllabs.com 上曲播:正在 Configuration->Protocols 部门中,“TLS 1.1”文本色彩将正在 2018 年 11 月尾变动为橙色。 TLS 1.0 战 TLS 1.1 和谈将于 2020 年头从阅读器中删除。因为出有能够充实建复 SSL 或弃用 TLS 的建复法式或补钉,因而构造尽快晋级到宁静替换计划相当主要。 各类阅读器客户端供给了禁用 TLS 1.0 战 TLS 1.1 和谈的大抵停止日期: 阅读器称号
日期
微硬 IE 战 Edge
2020年上半年
水狐阅读器
2020 年 3 月
Safari/Webkit
2020 年 3 月
谷歌阅读器
2020 年 1 月
RFC-7525 中概述的最好理论给出了没有鼓舞利用和谈 TLS 1.0 战 TLS 1.1 的缘故原由。 PCI-DSS 倡议用户从和谈 TLS 1.0 切换到和谈 TLS 1.2+。 下表显现了每一个阅读器利用和谈 TLS 1.0 战 TLS 1.1 毗连到 SSL/TLS 效劳器的百分比: 阅读器/客户端称号
百分比 (%) – TLS 1.1 战 TLS 1.0
微硬 IE 战 Edge
0.72%
水狐阅读器
1.2%
Safari/Webkit
0.36%
谷歌阅读器
0.5%
SSL Pulse 2018 年 11 月
5.84%
SSL 尝试室品级变革 为了鼓舞用户迁徙到和谈 TLS 1.2+ 并从效劳器中删除和谈 TLS 1.1 战 TLS 1.0,SSL Labs 将低落利用 TLS 1.1 战 TLS 1.0 的 SSL/TLS 效劳器的品级。 TLS 1.0 品级变动日期: 到 2019 年 9 月将显现升级为“B”级的正告
到 2020 年 3 月下旬,成就将变动为“B” 2020 年 1 月 TLS 1.1 品级变动日期: 正在 Configuration->Protocols 部门,“TLS 1.1”文本色彩将正在 2018 年 11 月终变动为橙色
到 2019 年 9 月将显现升级为“B”级的正告
到 2020 年 3 月下旬,成就将变动为“B” 2020 年 1 月
现有成就样本
效劳器设置
年级
TLS 1.2、TLS 1.1、TLS 1.0 + HSTS + 无正告 + TLS_FALLBACK_SCSV
A+
TLS 1.2、TLS 1.1、TLS 1.0 + HSTS + 无正告 + 没有撑持 TLS_FALLBACK_SCSV
一种
TLS 1.2、TLS 1.1、TLS 1.0 + HSTS + 正告 + 没有撑持 TLS_FALLBACK_SCSV
一种-
将来成就样本
效劳器设置
年级
TLS 1.2、TLS 1.1、TLS 1.0 + HSTS + 无正告 + TLS_FALLBACK_SCSV
乙
TLS 1.2、TLS 1.1、TLS 1.0 + HSTS + 无正告 + 没有撑持 TLS_FALLBACK_SCSV
乙
TLS 1.2、TLS 1.1、TLS 1.0 + HSTS + 正告 + 没有撑持 TLS_FALLBACK_SCSV
乙
TLS 1.2 + HSTS + 无正告 + TLS_FALLBACK_SCSV
A+
TLS 1.2 + HSTS + 无正告 + 没有撑持 TLS_FALLBACK_SCSV
一种
TLS 1.2 + HSTS + 正告 + 没有撑持 TLS_FALLBACK_SCSV
一种-
|