Max version has been pushed to TLS 1.3, but according to the docs and according to the code I believe IE11 on Windows 7 x64 should be able to use TLS 1.2 with Caddy 0.11.5.
It doesn’t seem to work correctly for these sites.
Yeah. In the Github links above, they do a similar test (not on caddyserver.com, but on another site served by the latest Caddy) with similar results, I believe.
We removed the last of the known-weak ciphers from Caddy’s default cipher suite selection. I have no interest in re-adding them personally, but you are welcome to in your own configurations to support broken and unsupported clients. Just note that cipher suite selection is not customizable in TLS 1.3.
Thanks to @My1 & @matt for their work in making changes to allow IE11 to both continue to work allow users of outdated clients to connect whilst also being “secure by default” - without additional config requirements in Caddy 1.0.0.
Notes for anybody having issues with IE11 on Caddy 1.0.0 with default TLS config:
You will need to ensure your certificates are ECDSA and not RSA.
Prior to Caddy 1.0.0 the default was RSA when requesting a certificate from Let’s Encrypt.
Certificates will be automatically renewed using ECDSA upon nearing expiry automatically so max 90 days.It looks like renewals occur using the existing RSA for those certificates created RSA, so manual expiry is required to switch over to ECDSA to get continue IE11 support, see post below
To ensure the an high IE11 user base domain was using the ECDSA and not RSA certificate I forced a certificate renewal. There is probably a better way than this (feel free to comment if there is).
Because I didn’t want all domains to re-request their certificates from Let’s Encrypt at the same time, potentially hitting limits I just forced one domain (in this case example.com) by removing the certificate and restarting caddy.
Note here I do www.example.com as well - don’t forget otherwise you might have example.com working and www.example.com not working in IE11.
Matt IE11 is still a factor in the industry.
I was amazing that Caddy decide to leave it. I checked your website under IE11 and I saw it his unsupported.
I think Caddy must make sure they support older browser (that other big companies still support them).
Also Caddy must make sure to let people know about this issues before they upgrade to a new version. We’re paying customers and we want to feel good when we’re making an upgrade to a new version. You can’t leave IE11 behind without tell anyone.
Anyway we can’t upgrade to the new version because of that.
While I think the Caddy project can do better about making sure people are aware of this kind of issue, it’s hyperbolic to claim that they didn’t tell anyone.
Additionally, during that time, it was still supported, just not by default, since a satisfactorily secure method of doing so hadn’t been implemented. You just needed to change some settings in order to get IE11 working fine. That’s moot now anyway.
In the post just three spots above yours, it’s very neatly explained that changes have been made to re-introduce the default support (in a secure manner) in the latest version. You can upgrade. Have a read of the post.
Thank you for the explain Matthew.
I’m not a understand everything with the code and I’m really trying but when I saw caddyserver.com is not support IE11 it was clear to me that it is not supporting.
Also I think something like dropping IE11 from the version need to be write in the release on Github load and clear.
Anyway I think maybe I didn’t understand all this issue, when we will feel we need to upgrade I will hope everything will work without any problems and without the need to change anything in the binary (because we don’t really know how to do that )
@job_noam well it is a bit more complicated. Let me give you a timeline of events
version 0.11.5 (where it was still essentially njot a “full” release) knocked out CBC ciphers with a very good reason but thereby killed down IE11.
Luckily someone (in this case me) noticed one little “loophole” in the cipher list of IE11.
because apparently IE11 DOES support a secure cipher, but under one (in all honesty, stupid) condition:
→ one has to use an ECDSA key/cert for it.
I went and made the needed changes before caddy 1.0, which makes sure that caddy by default supprts IE11 in a secure way.
there’s only one catch (kinda becoming a theme here, lol):
caddy apparently doesnt see that the config wants a different type of key/cert when one already exists for a given host/domain/whatever
The Solution is to delete all your certs
But be careful because LE’s Ratelimiting, you can only request a certain amount of certs in any given timeframe.