I don’t believe it’s related to TLS version itself, but rather to the cipher suite selection.
Hmm. Maybe.
I tried to validate ciphers available in Caddy compared to the ones I have in IE11.
According to this website: https://www.ssllabs.com/ssltest/viewMyClient.html
IE11 on my Windows 7 x64 machine supports these:
| TLS 1.3 | No |
|---|---|
| TLS 1.2 | Yes |
| TLS 1.1 | Yes |
| TLS 1.0 | Yes |
| SSL 3 | No |
| SSL 2 | No |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ( 0xc028 ) Forward Secrecy |
256 |
|---|---|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ( 0xc027 ) Forward Secrecy |
128 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ( 0xc014 ) Forward Secrecy |
256 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ( 0xc013 ) Forward Secrecy |
128 |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 ( 0x9f ) Forward Secrecy |
256 |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 ( 0x9e ) Forward Secrecy |
128 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA ( 0x39 ) Forward Secrecy |
256 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA ( 0x33 ) Forward Secrecy |
128 |
TLS_RSA_WITH_AES_256_GCM_SHA384 ( 0x9d ) WEAK |
256 |
TLS_RSA_WITH_AES_128_GCM_SHA256 ( 0x9c ) WEAK |
128 |
TLS_RSA_WITH_AES_256_CBC_SHA256 ( 0x3d ) WEAK |
256 |
TLS_RSA_WITH_AES_128_CBC_SHA256 ( 0x3c ) WEAK |
128 |
TLS_RSA_WITH_AES_256_CBC_SHA ( 0x35 ) WEAK |
256 |
TLS_RSA_WITH_AES_128_CBC_SHA ( 0x2f ) WEAK |
128 |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ( 0xc02c ) Forward Secrecy |
256 |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ( 0xc02b ) Forward Secrecy |
128 |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ( 0xc024 ) Forward Secrecy |
256 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ( 0xc023 ) Forward Secrecy |
128 |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ( 0xc00a ) Forward Secrecy |
256 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ( 0xc009 ) Forward Secrecy |
128 |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 ( 0x6a ) Forward Secrecy2 |
256 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 ( 0x40 ) Forward Secrecy2 |
128 |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA ( 0x38 ) Forward Secrecy2 |
256 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA ( 0x32 ) Forward Secrecy2 |
128 |
TLS_RSA_WITH_3DES_EDE_CBC_SHA ( 0xa ) WEAK |
112 |
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA ( 0x13 ) WEAK |
112 |
| Server Name Indication (SNI) | Yes |
|---|---|
| Secure Renegotiation | Yes |
| TLS compression | No |
| Session tickets | No |
| OCSP stapling | Yes |
| Signature algorithms | SHA512/RSA, SHA512/ECDSA, SHA256/RSA, SHA384/RSA, SHA1/RSA, SHA256/ECDSA, SHA384/ECDSA, SHA1/ECDSA, SHA1/DSA |
| Named Groups | secp256r1, secp384r1 |
| Next Protocol Negotiation | No |
| Application Layer Protocol Negotiation | No |
| SSL 2 handshake compatibility | No |