Help Testing TLS 1.3 Compatibility for a More Efficient & Secure Internet

Transport Layer Security (TLS) is the protocol that allows for secure websites (via https), and currently, TLS 1.2 is the version most commonly used today, with 1.0 and 1.1 still supported by many servers for backward compatibility with older browsers, including the one running this blog. TLS 1.3 is the next version, already supported in libraries and server software such as wolfSSL or nginx, and promises to be more efficient – important for battery operated devices (IoT) – thanks to features like zero-RTT (0-RTT) mode, speedy with a restructured handshake state machine, and more secure.

However, changes in security protocol may mess up connection with some browsers or middleboxes, as I experience when I enabled https on CNX Software using Let’s Encrypt with nginx and Cloudflare, with around 0.5% of users losing access due to using older web browsers and operating systems such as Internet Explorer on Windows XP. According to Cloudflare, compatibilities issues are the main reasons why TLS 1.3 has not been enabled in web browsers, since around 3% of traffic fails when TLS 1.3 is enabled, mostly due to incorrect implementation of TLS version negotiations in some middleboxes.

TLS 1.3 draft 22 improves compatibility by making TLS 1.3 look like TLS 1.2 to those middleboxes, and success rates have increased to 98+%, but more testing is needed. You can help as Cloudflare has setup a website to test TLS 1.3 in your browser (Adobe Flash is used for maximum compatibility). In my case only IPv4 worked, since my ISP does not support IPv6, but I got no problem with TLS 1.3.

If the TLS 1.3 test fails, you can contact Cloudflare by email with your test identifier, middlebox information if you’re in a corporate environment, or ISP name if you are on a residential network.

Share this:
FacebookTwitterHacker NewsSlashdotRedditLinkedInPinterestFlipboardMeWeLineEmailShare

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

ROCK 5 ITX Rockchip RK3588 mini-ITX motherboard

7 Replies to “Help Testing TLS 1.3 Compatibility for a More Efficient & Secure Internet”

  1. ” with 1.0 and 1.1 still supported by many servers for backward compatibility with older browsers, including the one running this blog. ”

    -> I think your blog is not using 1.0 anymore ?

  2. My former comment disappeared, so here a next try without URL: the tool ‘testssl’ is very handy for testing TLS of websites and other services.

  3. Ah, that comment appeared, so here are the results for cnx-software.com:

    SSLv2 not offered (OK)
    SSLv3 not offered (OK)
    TLS 1 offered
    TLS 1.1 offered
    TLS 1.2 offered (OK)
    TLS 1.3 offered (OK): draft 18
    SPDY/NPN h2, spdy/3.1, http/1.1 (advertised)
    HTTP2/ALPN h2, spdy/3.1, http/1.1 (offered)

Leave a Reply

Your email address will not be published. Required fields are marked *

Boardcon Rockchip RK3588S SBC with 8K, WiFI 6, 4G LTE, NVME SSD, HDMI 2.1...
Boardcon Rockchip RK3588S SBC with 8K, WiFI 6, 4G LTE, NVME SSD, HDMI 2.1...