SSL Labs Grade Change for TLS 1.0 and TLS 1.1 Protocols
Update 1/31/2020: The grade change is now live on www.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade.
Update 1/16/2020: The grade change is now live on the development server at dev.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade on the development server. Deployment to production SSL Labs servers is planned for the very end of January.
Update 10/11/19: The TLS 1.0/1.1 warning changes are now live on www.ssllabs.com. The grade change for supporting TLS 1.0/1.1 is changed from March 2020 to January 2020 as shown below in the SSL Labs Grade Change" section below and as reflected in the summary messages in SSL Labs results.
Update 11/30/18: Now live on ssllabs.com: In Configuration->Protocols section TLS 1.1" text color will be changed to Orange by end of November 2018.
TLS 1.0 and TLS 1.1 protocols will be removed from browsers at the beginning of 2020. As there are no fixes or patches that can adequately fix SSL or deprecated TLS, it is critically important that organizations upgrade to a secure alternative as soon as possible.
Various Browser clients have provided approximate deadlines for disabling TLS 1.0 and TLS 1.1 protocol:
| Browser Name | Date | |
|---|---|---|
| Microsoft IE and Edge | First half of 2020 | |
| Mozilla Firefox | March 2020 | |
| Safari/Webkit | March 2020 | |
| Google Chrome | January 2020 |
Best practices outlined in RFC-7525give reasons why it is discouraged to use protocol TLS 1.0 and TLS 1.1. PCI-DSS recommends users to switch from protocol TLS 1.0 and adopt protocol TLS 1.2+.
Following table shows for each browser the percentage of connections made to SSL/TLS servers using protocol TLS 1.0 and TLS 1.1:
| Browser/Client Name | Percentage (%) - Both TLS 1.1 and TLS 1.0 | |
|---|---|---|
| Microsoft IE and Edge | 0.72% | |
| Mozilla Firefox | 1.2% | |
| Safari/Webkit | 0.36% | |
| Google Chrome | 0.5% | |
| SSL Pulse November 2018 | 5.84% |
To encourage users to migrate to protocol TLS 1.2+ and remove protocol TLS 1.1 and TLS 1.0 from servers, SSL Labs will lower the grade for SSL/TLS servers which use TLS 1.1 and TLS 1.0.
TLS 1.0 Grade change date:- A warning will be displayed for downgrading to grade B" by end of September 2019
- Grade will be changed to B" by end of March 2020 January 2020
- In Configuration->Protocols section TLS 1.1" text color will be changed to Orange by end of November 2018
- A warning will be displayed for downgrading to grade B" by end of September 2019
- Grade will be changed to B" by end of March 2020 January 2020
| Server Configuration | Grade | |
|---|---|---|
| TLS 1.2, TLS 1.1, TLS 1.0 + HSTS + No Warning + TLS_FALLBACK_SCSV | A+ | |
| TLS 1.2, TLS 1.1, TLS 1.0 + HSTS + No Warning + No support for TLS_FALLBACK_SCSV | A | |
| TLS 1.2, TLS 1.1, TLS 1.0 + HSTS + Warnings + No support for TLS_FALLBACK_SCSV | A- |
| Server Configuration | Grade | |
|---|---|---|
| TLS 1.2, TLS 1.1, TLS 1.0 + HSTS + No Warning + TLS_FALLBACK_SCSV | B | |
| TLS 1.2, TLS 1.1, TLS 1.0 + HSTS + No Warning + No support for TLS_FALLBACK_SCSV | B | |
| TLS 1.2, TLS 1.1, TLS 1.0 + HSTS + Warnings + No support for TLS_FALLBACK_SCSV | B | |
| TLS 1.2 + HSTS + No Warning + TLS_FALLBACK_SCSV | A+ | |
| TLS 1.2 + HSTS + No Warning + No support for TLS_FALLBACK_SCSV | A | |
| TLS 1.2 + HSTS + Warnings + No support for TLS_FALLBACK_SCSV | A- |
- Modernizing TLS connections in Microsoft Edge and Internet Explorer 11 : https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/
- Removing Old Versions of TLS : https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/
- Deprecation of Legacy TLS 1.0 and 1.1 Versions: https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/
- Modernizing Transport Security: https://security.googleblog.com/2018/10/modernizing-transport-security.html
- Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS): https://tools.ietf.org/html/rfc7525