[ISS] about TLS configurations in the real world...

[Giuseppe Bianchi < >]

Folks, an interesting finding from one of your student colleagues.  
Since it is VERY closely related to what we are doing in these days,  
I'm extending the discussion to all.

The story is very simple. While trying to connect to the Policlinico  
Tor Vergata site, which in these days is largely used (as it supports  
the registration  to the COVID drive-in tests) he noticed that his  
browser could not complete the handshake. The reason is that he had  
configured his browser to use 1.2+ while the server hello was  
proposing only 1.0. And obviously the negotiation was not possible, so  
session abort.

Now, VERY strange that the MAXIMUM version supported by a web site in  
2020 is 1.0... Perhaps a downgrade attack in progress? Don't worry, it  
was "just" an incredibly poor TLS configuration! Just to remark that  
you can still find such weird and old settiungs even in important real  
world web sites!!


Now, as I will practically show in one of the next lectures, the best  
tool to test a TLS serves is the Qualys SSL lab test suite, which is  
available online at:  https://www.ssllabs.com/

You eed to know a quite a bit of TLS to understand the results, but  
you already know enough to grasp what0's going on (and you'll know  
more in some next lectures).

Long story short: here is the result of the test.

The site was: www.ptvonline.it

and the result of the test is quite embarassing, here:  
https://www.dropbox.com/s/p7v0om8op1p8lia/ptvtest.pdf?dl=0

Enjoy! (sigh, even SSLv2 still supported.... ahi!!! And look at the  
ciphers...)