TLS 1.3 only server graded worse than TLS 1.3 & TLS 1.2

[jannh]

Just now, I have tested a server which supports TLS 1.3 only. It get's an A grade (using nginx with not special cipher setting). In the protocol section, it complains about TLS 1.2 being disabled...

When I change the configuration only to add TLS 1.2 support, there are a whole lot of weak ciphers (since I have not excluded any from the nginx default). However, with the same settings otherwise, the server now get's an A+ grade.

In my opinion, a TLS 1.3 only server should be graded at least as good as a server with both TLS 1.3 and 1.2 enabled. Is there a reason to downgrade a TLS 1.3 only server in comparison with a TLS 1.3 & TLS 1.2 server?

[ghost]

I can confirm this issue.

[joepitt91]

Just found this issue in March 2020, seems odd to be marked down for not supporting unneeded protocols

[polarathene]

It's a bug as mentioned here. The grading won't award A+ if it fails to fallback to lower protocol version properly. But since you're only offering a single protocol version, it shouldn't apply.

[annainfo]

When will this bug be fixed? Not providing TLSv1.2 doesn't make a server less secure. And worse, servers with 90% Key Exchange and 90% Cipher Strength can get A+, while a TLSv1.3 only having 100% in each of the four categories only gets A.