Why is Internet Explorer 11 unable to connect to HTTPS sites when TLS 1.2 is enabled?
Normally I don't use Internet Explorer at all. I use it only in design time for interface tests (development machine and with unencrypted http). Every week I run the SSL Labs server test which says IE11 is able to access my sites.
Today I discovered an issue with one of my 3rd party services. Some special function is not working with Chrome or Firefox so I launched IE11 on my Windows 7 machine. And IE11 shows me a builtin error page witch basically only says "the page could not be shown". And the typical dummy bla bla like check the DNS and so on. There was absolutely no sign of an encryption related issue on the entire error page (like normal browser would do).
Back a couple of month there was this schannel issue which prevents TLS1.2 enabled IEs to access HTTPS sites. From that point in time my "WTF checklist for IE" contains "disable TLS1.2" as a checkpoint. And what should I say... disabling TLS1.2 within IE worked and my site is available again. But I can't do this on my visitors browsers.
Now to the real questions: Why Why does Internet Explorer 11 is unable to connect to my HTTPS site when TLS 1.2 is enabled within IE? And how to fix it on server side? SSL Labs is telling that everything is fine on my site.
Imporant Edit: It seems that IE11 can handle only the non-prefix domain and not the prefixed domains when TLS1.2 is enabled. domain without prefix (www) works while domain including prefix (www) won't work.
On the server side I'm using debian/7 nginx/1.7.8 openssl/1.0.1e
Available ciphers are: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:-DES:!RC4:!MD5:!PSK:!aECDH:EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Do you also have SSL 2.0 enabled?
According to http://support.microsoft.com/en-us/kb/2851628 "SSL 2.0 and TLS 1.2 are not compatible with each other in Windows 7 and later operating systems. To use client-side certificates to establish an HTTPS connection over TLS 1.2, you must disable SSL 2.0".
Ran into this issue today with IE11 on Win 7 (fully updated with important updates, but not optional ones), when using Mozilla's Intermediate suite, which works fine with IE8 on XP and is supposed to work with IE7+. Thought I'd post here is this issue doesn't turn up much else on google.
Spent some time with wireshark figuring out the minimum modification required to make it work. Disclaimer: I am not a crypto expert, there could be a better way to do this. But it did not change my ssllabs.com rating at all.
Move ECDHE-RSA-AES128-SHA256 (the first one that works for IE11) up above kEDH+AESGCM and DHE-RSA-AES128-GCM-SHA256, for the intermediate suite resulting in:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA