Over the years, we published some popular articles on how to get the best score on SSLLabs tests.
This year, we’re back on that popular issue, that can now be solved. In January 2020, Qualys changed their test to give note “B” when TLS 1.0 and 1.1 are still supported.
By default, IIS server gives that result on Qualys SSLLabs test.
Even in the last IIS version (10), these protocols they are still enabled by default. (list of default protocols status)
Now, this is what you need to do to avoid that validation message: “This server supports TLS 1.0 and TLS 1.1. Grade capped to B.”
How to fix that on IIS: (Link on microsoft article)
For TLS 1.0: (link on Microsoft article)
For TLS 1.1: (link)
To avoid complexe registry edit, you can copy-paste the following config in a file called “disable-tls-10-11.reg”, created using notepad. then double-click on it.
Content of the file:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "Enabled"=dword:00000000
Save it, and double-click on it, and accept all confirmations, to add these settings to your registry database.
Then reboot your computer, and run your SSL test again. Grade A reached!