Resolved Supporting more cipher suites for SSL

[abcroste]

Hello,

I've got a letsencrypt SSL certificate for my domain https://www.abc-roster.com.

From running a scan with this website, I can see that only 3 cipher suites are supported for TLS 1.2.


# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH x25519 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH x25519 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) ECDH x25519 (eq. 3072 bits RSA) FS

While this work for most browsers (but not IE), some .Net 4 clients make requests to my website, and these 3 ciphers suites are not part of windows 7 built in ciphers. As a result, these .net clients cannot connect to my website

So I'm not quite sure what I need to do to have more cipher suites supported. It it related to the certificate, or is it to do with x10hosting?


Thank you

 

[spacresx]

i dont use ssl for my free x10hosting account.
but i dont think cipher suites is a thing for x10hosting to adjust.
i think that letsencrypt SSL certificates or cloudflare handle that.
but i may be wrong.

IE 11 is kind of broke in a sense anyway,
most people upgraded to microsoft edge as a replacement.
i use windows 7 and went to microsoft edge to.
i still have ie 11 but had issues with it. so i changed browsers.
but thats just my opinion.

 

[abcroste]

i dont use ssl for my free x10hosting account.
but i dont think cipher suites is a thing for x10hosting to adjust.
i think that letsencrypt SSL certificates or cloudflare handle that.
but i may be wrong.

IE 11 is kind of broke in a sense anyway,
most people upgraded to microsoft edge as a replacement.
i use windows 7 and went to microsoft edge to.
i still have ie 11 but had issues with it. so i changed browsers.
but thats just my opinion.

Hello,
IE support per se is not the problem (I know it's dead and I don't expect people to use it), but the fact that .Net applications cannot connect to my website in HTTPS.

I asked let's encrypt in this thread and from what I understand, I need to generate a new kind of certificate, but it does not look like it's possible from direct admin. So I wanted to check with support why is that that the hosting server does not support more cipher suites.

 

[spacresx]

I believe X10hosting free accounts don't provide that type of service.
even my paid hosting, does not provide me that type of service.

ssl certificates are handled by the ssl businesses, such as sslforfree,
gogetssl, or in this case the letsencrypt website, not x10hosting.

and the certificate you use is a basic free certificate i think,
just to use the basic protection of cloudflare on a free x10 hosting account.

i think that's why the type of certificate cannot be generated on x10hosting.
but i don't think you can do that on x10hosting.

if im wrong maybe @garrettroyce or staff can confirm otherwise.

 

[garrettroyce]

I'll let the admins know. Right now there are thousands and thousands of letsencrypt requests being processed to provide all of our free users with free SSL, so it may not happen for a while until that queue is cleared. It would be problematic if the queue has to start over from the beginning with your request, so it may not happen.

What you could do to resolve this from your site would be to upload your own certificate or to use a proxy service such as CloudFlare

 

[abcroste]

I'll let the admins know. Right now there are thousands and thousands of letsencrypt requests being processed to provide all of our free users with free SSL, so it may not happen for a while until that queue is cleared. It would be problematic if the queue has to start over from the beginning with your request, so it may not happen.

What you could do to resolve this from your site would be to upload your own certificate or to use a proxy service such as CloudFlare

Yes, I've read the sticky post about the queue. But even if there was no queue, I don't think I can use direct admin to generate a proper ECDSA certificate?

Maybe I'll give it a go with cloudfare. At first I was just thinking about buying my own certificate and upload it like you said, but I still need to make sure that it plays well with x10's supported ciphers.

 

[garrettroyce]

the cypher support isn't the issue, it's a setting that must be configured. if you bring a certificate, it will work with any of the mainline openssl cyphers.