I fear I don’t have good news. After digging into this a bit more, it looks quite tricky.
As a simple fix I asked Martin whether he would “downgrade” his servers, but not surprisingly, he doesn’t want to do that.
While it seems that my server (Windows 2012 R2) does support TLS1.2, it seems to fail cos of the missing ciphers. According to Microsoft, Windows 2012 R2 does support the following ciphers (https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-8-1). When testing my function, I do get the following back:
{"given_cipher_suites": ["TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ,"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" ,"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" ,"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" ,"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" ,"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" ,"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" ,"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" ,"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" ,"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" ,"TLS_RSA_WITH_AES_256_GCM_SHA384" ,"TLS_RSA_WITH_AES_128_GCM_SHA256" ,"TLS_RSA_WITH_AES_256_CBC_SHA256" ,"TLS_RSA_WITH_AES_128_CBC_SHA256" ,"TLS_RSA_WITH_AES_256_CBC_SHA" ,"TLS_RSA_WITH_AES_128_CBC_SHA" ,"TLS_RSA_WITH_3DES_EDE_CBC_SHA"] ,"ephemeral_keys_supported":true,"session_ticket_supported":true,"tls_compression_supported":false,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_minus_one_splitting":false,"insecure_cipher_suites":{} ,"tls_version":"TLS 1.2","rating":"Probably Okay"}
So, TLS 1.2 is “Probably Okay”. But the AS servers only support 3 ciphers for TLS 1.2, which are:
|# TLS 1.2 (suites in server-preferred order)|
|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ( `0xcca8` ) ECDH x25519 (eq. 3072 bits RSA) FS|256|
|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ( `0xc030` ) ECDH x25519 (eq. 3072 bits RSA) FS|256|
|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ( `0xc02f` ) ECDH x25519 (eq. 3072 bits RSA) FS|128|
So, since mine and AS’ server don’t support the same ciphers, they can’t talk with each other.
Now since my site is based on ASP classic, I’m not even sure whether a migration to a newer OS would solve the problem. The components used are quite old and Microsoft is not supporting ASP classic anymore, as far as I believe. So it looks like a big(ger) migration might be required, or more like a complete re-write…
I will continue to look for a solution, but don’t just yet be too optimistic.
UPDATE: I just tested the necessary function on a Windows 10 machine that does have the cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 to check whether I could retrieve the page there. Unfortunately, the same problem persists.