AFAIK IIS 8.5 doesn't need to support TLS_FALLBACK_SCSV.
How can I get grade A+ in this case?
I guess you are using Windows Server 2012 R2. I doubt it doesn't need to support. There is just no support.
The Request for Comments (RFC) 5746 recommends sending the Transport Layer Security (TLS) Renegotiation Indication Extension in the TLS "ClientHello" message. However, in certain cases, sending the TLS extension in the TLS Client ClientHello message can cause a failure on certain kinds of servers that cannot parse the TLS extensions correctly. This type of interoperability failure had not been encountered in Microsoft operating systems earlier than to Windows Vista. This is because the ClientHello message previously did not contain any extensions when using these earlier operating systems. To avoid this problem, an administrator can use the UseScsvForTls DWORD registry entry with a nonzero value. (This can be any value other than zero.) This registry entry will cause the client to a send fixed byte pattern (00 FF) in the list of cipher-suite values instead of the TLS Renegotiation extension in the TLS ClientHello message to signal the server. The fixed byte pattern (00 FF) is known as a Signaling Cipher Suite Value (SCSV).
To configure the UseScsvForTls registry entry, add a DWORD to the following subkey in the registry on the TLS client computer:
The following table explains the behavior for the DWORD settings:
what is the reason why you think that you do not need TLS_FALLBACK_SCSV ?
There is only one reason i can imagine. And this would be that you only support one protocol version.
If this is the case it is an good point. If you can tell the servername i think you can get better advices.
I'm using IIS 8.5 under Windows Server 2012 R2. And based on Microsoft blog post Understanding Problems with MS10-049, KB 980436 and IETF RFC5746 - Http Client Protocol Issues (and other fun stuff I su…
"UseScsvForTls" is not related to "TLS_FALLBACK_SCSV"
TLS_FALLBACK_SCSV which is not final by IETF yet,
draft-ietf-tls-downgrade-scsv-00 - TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade At…
is not supported by MS yet,https://connect.microsoft.com/IE/feedback/details/1002874/internet-explorer-should-send-tls-fallback-scsv
So you cannot get a A+ with any IIS currently.ob
TLS_FALLBACK_SCSV has passed the WG voting stage which means it's on-track and just a few weeks from being published as an RFC
Edit: Removed bit were I momentarily confused the TLS pseudo-cipher TLS_FALLBACK_SCSV with the http Strict-Transport-Security header. Guess I wasn't fully awake.
TLS Fallback SCSV is not a HTTP header that you can just add in the (IIS) configuration, it's a TLS cipher suite that's exchanged in the TLS Client Hello (are you perhaps confusing it with HSTS?).
But yeah, TLS Fallback SCSV is not yet supported in schannel, the Windows native crypto library.
No Windows Server (IIS) can achieve A+ at the moment.
The next version of IIS (windows 10) will be able to achieve A+.
This is a lie. IIS 10.0 (Windows 10 RTM) which I have doesn't get A+ grade!!! It gets only an A and still doesn't support TLS_FALLBACK_SCSV.
1) Win10 != Server 20162) you can get an A+ if you enable only TLS 1.2 !
This thread has been upped, and I forgot to write that my answer is mostly wrong. UseScsvForTls is about secure renegotiation, not downgrade attack prevention. My argument was invalid, sorry.
Retrieving data ...