Scavenger hunt: Find secure sites that fails with TLS 1.1, WIN T-Shirts/merchandise!!

Scavenger hunt: Find secure sites that fails with TLS 1.1, WIN T-Shirts/merchandise!!

Winners of the competition has been announced here: [url]http://my.opera.com/forums/showthread.php?s=&postid=719517#post719517

Hello folks,

Some of you may have noticed a couple of short lines in the v7.60 TP changelog
about "Experimental support" for TLS 1.1 and TLS ServerName Extensions, and
wondered what it meant.

Here's the explanation, and a request for your assistance.

The "experimental" part means that we are not planning to release v7.60 final
(or public beta) with these features enabled.

Briefly (there is more info available here), TLS Extensions are a way to expand
the capabilities of the SSL/TLS protocol, and TLS 1.1 is the most modern version
of the SSL/TLS family of security protocols. TLS 1.0 and its predecessor SSL v3
are already supported by most clients and webservers.

Unfortunately, we've discovered that even though the SSL and TLS protocol
specifications provide for these extension and new protocol versions, there are
secure Web sites that refuse to talk to a client that supports these new
features.

Because these servers are violating the TLS specifications we need to locate
them early so that they can be fixed before TLS 1.1 and TLS Extension capable
clients become commonplace, and that is why we are now asking for your
assistance.

What we'd like you to do, is to surf with TLS 1.1 enabled (it is enabled by
default) and visit as many secure websites as possible (e.g. banks, brokers,
financial services, webshops and other secure sites) and report back
here in this thread about any that works OK in 7.5x but not in 7.60 TP and that
fits the profile below. I can then examine the sites more carefully to see if it
really is caused by the experimental protocol features.

When should you report a site? It will usually fit the following profile (I
can't rule out any others, but this is the one that is most likely):

• You are not able to enter the secure site at all when all the encryption
  protocols are enabled; the first request to the site results in a "Could not
  connect to the secure site" or similar message. Please confirm that the
  problem is 7.60 TP specific by being able to enter the site with 7.5x before
  continuing to the next point
  
  Prefs: SSL v3 [x] TLS 1.0 [x] TLS 1.1 [x]
  
  
• If you disable TLS 1.1 and you are able to enter the site with TLS 1.0
  active, please report it as a possible TLS 1.1 problem
  
  Prefs: SSL v3 [x] TLS 1.0 [x] TLS 1.1 [ ]
  
  
• If you are not able to enter it using TLS 1.0, disable TLS 1.0. If you are
  able to get into the site with SSL v3, please report is as a possible TLS
  Servername Extension problem. (It is possibly also a TLS 1.1 problem.)
  
  Prefs: SSL v3 [x] TLS 1.0 [ ] TLS 1.1 [ ]
  
  
• If you are still not able to get into the server the problem may be a more
  serious protocol problem, please file a bug report for the Security component.
  Please note, however, that we have disabled the less secure 40 and 56 bit
  encryption methods in 7.60.
  

Edit: Keep in mind that when TLS 1.1 is enabled, TLS 1.0 and SSL v3 must also
be enabled, otherwise you will get error messages when the server select
one of the disabled versions. The same holds for TLS 1.0 and SSL v3.


What should you post here?

• Your guess of category (as mentioned above)
  
  
• The URL of the secure server, or precise instructions on how to reach it (I
  prefer a URL).
  
  
• Preferably, you should include a contact email address to the webmaster, or
  a URL to the site's contact form.
  
  
• Keep the post as short as possible.
  
  
• Please don't post duplicate URLs.
  
  
• Please don't discuss these experimental features or specific sites beyond
  the above. If you wish to discuss this, please do so in a separate thread (I
  have asked the moderators to remove any post from this thread that is not a
  problem site report). However, relevant questions about what we are looking
  for are permitted.
  

If the problem is confirmed, what should you do?

When a site has problems with TLS Extensions or TLS 1.1, AND it has been
confirmed, an email should be sent to the webmaster to inform him about the
problem and request that he gets the problem fixed.

We ask you to send such an email, even if we also send them an email. We think
it will help immensely if the site is informed about the problem by exisiting
customers.

Sample emails have been placed here, and a webpage for the webmasters and
vendors can be found here. Please include the link to the vendor-page in all your
communcation with such sites, as well as the resource links below.


Where can you test these experimental features?

The GnuTLS group maintains a testserver at [url]https://www.gnutls.org:5555/ .

I'm not aware of any public testserver that supports the ServerName extension.
GnuTLS does implement the ServerName extension, but the above server is not
configured to use it.



Rules for the competion:

As a reward for taking time to hunt for these servers we are giving away a
number of Opera T-shirts and some other Opera merchandise.

The rules are as follows:

• Opera employees and Elektrans are not eligible.
  
  
• The reported site must not have been known to Opera Software before
  v7.60 TP was released.
  
  
• Only the first post about a site counts. A site is defined as one or more
  servers maintained in the same domain (e.g. server1.example.com and
  server2.example.com counts as one(1) site).
  
  
• To participate the reported websites must have been confirmed by Opera as
  not being able to accept TLS 1.1 connection request and/or a connection
  request using the TLS ServerName extension.
  
  
• The competition will close at midnight CET (daylight saving time) 7. September, 2004
  
  
• In case of ambiguities Opera's decision on the matter is final.
  

Among those posters that have reported more than one site and confirmed sites
the 3 with most confirmed sites will win an Opera T-Shirt (These are normally
only handed out to employees), an Opera mouse mat (pictures) and 4, 2 and 1 pieces,
respectively, of Opera merchandise. If two or more posters have the same number
of sites, the time of the first confirmed post is used to separate them.

Among the other participants (including those with multiple postings) 10 posters,
selected by drawing lots, will also receive an Opera T-shirt.


Known sites before release of v7.60 TP:

TLS 1.1 and TLS extension problems

• [url]https://nettbank.nordea.no/
  
• [url]https://dnb.no/
  
• [url]https://olb.westpac.com.au/
  
• [url]https://www.ingdirect.fr/
  

Only TLS 1.1 problems

• [url]https://www.hertz.com/
  
• [url]https://www.rei.com/
  
• [url]https://netbanking.hdfcbank.com/
  
• [url]https://www.carefirst.com/
  
  
• [url]https://www.gotogate.no The cause of this is an incorrect
  implementation of RSA PremasterSecret handshake step.
  
  
• Roxen Web servers based on source older than v4.0.141 (release 1)
  

Sites found during scavenger hunt

Classifications:

• (A) TLS 1.1 problem
  
• (A1) No response on TLS 1.1 hello, does not close connection. TLS extensions OK
  
• (B) TLS 1.1 and TLS Extensions
  
• (C) Only TLS Extension problems, TLS 1.1 accepted.
  
• (D) Accept TLS 1.1 or TLS Extensions, but not both at the same time.
  
• (E): Accepts TLS 1.1 and (optional) extensions, but not TLS 1.0 and extensions.
  

1. 24hour-online.ie (Oopsey) Several servers, some only Type A (www5), others are Type B (www2).
   
2. usaa.com (bdclary) Multiple servers, Type B.
   
3. firsttrustonline.co.uk (luap.h) At least Type A,
   seems to be in the same serverpark as 24hour-online.ie.
   
4. easyweb.tdcanadatrust.com (Grizzbear) Type B
   
5. www.ebank.hsbc.ca (lsaplai) Type A
   
6. www.ebank.hsbc.co.uk (Dan_292) Type A
   
7. net.pbz.hr (alenx) Type A
   
8. www-1.ibm.com (lukefab) Type A
   
9. www.fortisbanking.be (rObkE) Type B
   
10. www.kbc.be (rObkE) Type A
    
11. www.knbanking.be (rObkE) Type C
    
12. ebanking.bgl.lu (lukefab) Type B
    
13. secure.us.com (rObkE) Type B
    
14. cert.oasis.telenet.be (rObkE) Type A
    
15. axess.stanford.edu (rObkE) Type A
    
16. ssol.columbia.edu (lukefab) Type A
    
17. student.rug.nl (rObkE) Type D
    
18. manager.verisign.com (rObkE) Type B
    
19. products.freessl.com (lukefab) Type A
    
20. products.geotrust.com (lukefab) A
    
21. www.swetswise.com (rObkE) Type A
    
22. www1.bmo.com (lukefab) Type B
    
23. onlinebanking.mandtbank.com (lukefab) Type C
    
24. banking.uboc.com (lukefab) Type A1
    
25. online.dollarbank.com (lukefab) Type E
    
26. e91.absa.co.za (lukefab) Type B
    
27. www.ebank.hsbc.com.hk (lukefab) Type B
    
28. www.mon-compte.com (lukefab) Type B. Server is only SSL v3
    
29. www.secure.bnpparibas.net (lukefab) Type B
    
30. peoplefirst.myflorida.com (rObkE) Type A
    
31. s044a90.ssa.gov (rObkE) Type A
    
32. az.gov (rObkE) Type A
    
33. vault.melloninvestor.com (rObkE) Type A
    
34. wolverineaccess.umich.edu (rObkE) Type A
    
35. www.iblogin.com (lukefab) Type A
    
36. ibank.cahoot.com (lukefab) Type A
    
37. www.kb24.pl (Numen) Type A
    
38. fortress.wa.gov (lukefab) Type B
    
39. secure.dabs.com (elvis) Type A
    
40. banking.raiffeisen.at (Eabin) Type A
    
41. secure.azc.com (lukefab) Type A Server is SSL v3-only, with a 512 bit certificate, and does not accept TLS 1.0 at all, in violation of the SSL v3 standard, and should be upgraded, since SSL v3 was obsoleted 5 years ago.
    
42. www.insight.com (lukefab) Type A
    
43. www.rbcroyalbank.com (lsaplai) Type A
    
44. apweb.apsu.edu (rObkE) Type C
    
45. ucfy.ucop.edu/ucfy (rObkE) Type B
    
46. shinsei-cert.mext.go.jp (rObkE) Type A
    
47. query.lotus.com (rObkE) Type A Server is SSLv3-only. Should be upgraded.
    
48. foia.aphis.usda.gov (rObkE) Type A
    
49. olb.au.virginmoney.com (djp) Type B
    
50. secure.ampbanking.com (djp) Type A
    
51. bmtweb.lamar.edu (selda) C
    
52. www.verizonwireless.com (Steve Haney) Type A
    
53. www.nrsservicecenter.com (jrichard326) Type A
    
54. secure.ingdirect.ca (gerrysaint) Type A
    
55. www-1.95284.com (gerrysaint) Type A
    
56. www.anz.com (Lamps) Type D
    
57. www.fundix.nl (rObkE) Type A
    
58. admit.belgacom.be (rObkE) Type A
    
59. wysmail.chn.nl (rObkE) Type A Server is SSLv3-only, and should be upgraded.
    
60. portal.drenthecollege.nl (rObkE) Type A Server is SSLv3-only and should be upgraded.
    
61. klient3.ebanka.cz (_petval_) Type C
    
62. secure.vonage.com (stuckpixel) Type A
    
63. secure.unlimitedvoice.com (stuckpixel) Type A
    
64. www.aquieco.com (lukefab) Type D
    
65. www.sinet.uq.edu.au (rObkE) Type D. TLS 1.1 is accepted, but there is handshake failure due to incorrect handling of the version-number in the RSA PremasterSecret
    
66. info.worldbank.org (rObkE) Type A (SSL v3)
    
67. usercenter.checkpoint.com (rObkE) Type A
    
68. cs.ala.org (rObkE) Type C. Does not close the connection sometimes when TLS Extensions are used
    
69. ebanking.spardabank-linz.at (vulkanus) Type A
    
70. www.uno-e.com (BigFredi) Type A
    
71. online.btfunds.com.au (djp) Type C
    
72. wwwa.nko.navy.mil (Robke) Type A
    
73. www.llbean.com (xenodochy) Type A
    
74. www-ssl.bestbuy.com (leoherz) Type A
    
75. www.ebank.us.hsbc.com (lukefab) Type A
    
76. ola.orcasnet.com (lukefab) Type A. TLS 1.1 is accepted, but there is handshake failure due to incorrect handling of the version-number in the RSA PremasterSecret
    
77. pob-w.firstcitizens.com (lukefab) Type B
    
78. secure.ingdirect.co.uk (lukefab) Type A
    
79. www.broker.ingcanada.com (lukefab) Type A
    
80. www.ingfunds.ca (lukefab) Type A
    
81. www.desjardins.com (NightGriffin) Type A
    
82. service.o2.co.uk (EXodus) Type B
    
83. sec.westpactrust.co.nz (personae) Type B. TLS 1.1 alone results in SSL v3 being negotiated, not TLS 1.0
    
84. drcwww.uvt.nl (frenzy) Type A
    
85. entreebeheer.kennisnet.nl (frenzy) Type A
    
86. webmail.hro.nl (frenzy) Type A1
    
87. www.e.meespierson.com (frenzy) Type A. Display problems
    
88. onlineaccess.mycreditcard.cc (frenzy) Type A. At least it sends a TLS Protocol Version alert
    
89. mailcentral.hhs.nl (frenzy) Type D
    
90. my.ufl.edu (bdclary) Type D. SSL v2 handshake with TLS 1.1 results in handshake failure, SSLv3+ handhsake results in a successful handshake with TLS 1.1 enabled, curoius.
    
91. www99.americanexpress.com (leoherz) Type B
    
92. www.dnafinland.fi (olmari) Type A
    
93. mail.gorodok.net (Orlando) Type D
    
94. www1.americanexpress.hr (Magi) Type A
    
95. www.internetkassan.nu (andewid) Type A
    
96. netcom.no (sag) Type A
    
97. www.blair.com (psoberg) Type A
    
98. www.coca-colascholars.org (rObkE) Type A
    
99. w1.buysub.com (rObkE) Type B
    
100. bank.eldersruralbank.com.au (rObkE) Type A
     
101. www.netraverse.com:9100 (rocco) Type C Handhsake never ends when using TLS 1.0 extensions.
     
102. paragon.acs.org (Kevin) Type A. At least it sends a TLS Protocol Version alert
     
103. portal4.landbobanken.dk (have) Type A
     
104. ibank.nic-bank.com (rObkE) Type C
     
105. bank.abnamro.com.tw (rObkE) Type A
     
106. was.nd.edu (rObkE) Type A
     
107. www.verkkoposti.com (rObkE) Type A
     
108. www.seasilver.com (rObkE) Type A TLS 1.1 is accepted, but there is handshake failure due to incorrect handling of the version-number in the RSA PremasterSecret
     
109. sarah.williams.edu (rObkE) Type A
     
110. www.uspsepm.com (rObkE) Type A. At least it sends a TLS Protocol Version alert
     
111. www2.bancopopular.es (rObkE) Type A
     
112. www.frost.com (rObkE) Type A
     
113. wrs21.tap-ic.co.jp (rObkE) Type A (SSLv3 only)
     
114. www.nissan-bank.de (rObkE) Type C
     
115. www.pinnacle-bank.com (rObkE) Type C
     
116. investing.schwab.com (rObkE) Type B
     
117. login.abnamro401k.com (rObkE) Type C
     
118. w1.aircanada.ca (rObkE) Type B
     
119. ebanking.hangseng.com (rObkE) Type B
     
120. www.eomniform.com (rObkE) Type C
     

Information about TLS in 7.60 TP

• Info about experimental 7.60 TLS feaures: [url]http://my.opera.com/community/dev/tp/760/tls11/info/
  
  
• Email templates: [url]http://my.opera.com/community/dev/tp/760/tls11/report/
  
  
• Vendor information page: [url]http://my.opera.com/community/dev/tp/760/tls11/vendor/
  

References

• RFC 2246: TLS 1.0: [url]http://www.ietf.org/rfc/rfc2246.txt
  
• RFC 3546: TLS Extension: [url]http://www.ietf.org/rfc/rfc3546.txt
  
• TLS 1.1 draft 8: [url]http://www.ietf.org/internet-drafts/draft-ietf-tls-rfc2246-bis-08.txt
  

I will be following this thread.

AIB Banking

o Possible TLS Servername Extension problem

o [url]https://www5.24hour-online.ie/hb1/presign.jsp (Mod note: corrected URL; was the URL of the login image)

o Can't find a contact address but I have submitted a report to the webmaster via a webform located at [url]https://www2.24hour-online.ie/hb1/roi/tech.jsp

@thepikermickey: I'm sorry, all of those you reported above works OK (at least with respect to TLS).

I suspect that your problems were caused by disabling TLS 1.0 while enabling TLS 1.1. If the server
selects TLS 1.0 (since it does not support TLS 1.1) Opera will see that that TLS 1.0 is disabled
and display an error. There is currently no way to tell the server that a client will not accept
a connection using some specific versions, while others are acceptable, but I suspect that somebody
will come up with a TLS Extension for it, sometime.

I've updated my post to reflect this.

USAA - Possible TLS Servername Extension problem

Main site URL:

[url]http://www.usaa.com/ (automatically redirects to secure server)

The USAA site does not have an email listed or a contact form; here is the contact page: [url]https://www.gc.usaa.com/inet/gas_corp/CpLevelZeroContactUs?ContactUsPageId=PublicContactUs

Received "Could not connect to remote server" with both TLS 1.1 and TLS 1.0 enabled. Received same error with only TLS 1.0 enabled. No errors with SSL v3.

[url]http://app.commonapp.org/

Thank you for your note. Our site does not support TSL 1.1. Perhaps we will consider supporting this standard for next year's common application online. Thank you for using Common App Online.

I haven't sent one of the preformatted emails yet, but I will once the site is technically confirmed. I'm assuming the site supports TSL1 but I can't confirm this yet since everything is back-end.

Originally posted by thepikermickey
[url]http://app.commonapp.org/

I've no problem accessing [url]https://app.commonapp.org/ with TLS 1.1 activated, it quite properly falls back to TLS 1.0, which is its highest supported version.

TLS 1.1 problem
[url]http://www.firsttrustonline.co.uk/ clicking on sign in to give error on
[url]https://www2.firsttrustonline.co.uk/hb1/ft/presign.jsp

TLS 1.1 and TLS 1.0 ext problems as far as I can tell


[url]http://www.tdcanadatrust.com/ click the NOW button by the Easy Web drop down menu

Let's try this one:
www.hsbc.ca
The Internet banking link is in the top right corner of the page. It works with 7.54. My Internet connection is very slow at the moment so it's difficult to say where the problem comes from: it seems not to work no matter which security setting I am using. Can someone confirm?

I get a possible TLS 1.1 problem with www.hsbc.co.uk

1st Login page loads fine (where required to enter "internet banking user ID" its URL is [url]http://www.ukpersonal.hsbc.co.uk/public/ukpersonal/internet_banking/en/logon.jhtml )

Enter ID with TLS 1.1 enabled and get "Could not connect to remote server"
Enter ID with TLS 1.0 only (Opera 7.6) and login works as normal


With the Isaplai's [url]http://www.hsbc.ca/hsbc link I get a similar behaviour specifically:

Go to "personal internet banking" (top right) and click GO...
with TLS 1.1 enabled and I get "Could not connect to remote server"
with TLS 1.0 only (Opera 7.6) I get a pagge asking for unser name etc.


Interestingly both HSBC banking pages seem to work fine if TLS 1.1 starts enabled is then disabled then re-enabled.

E-banking service of the biggest Croatian bank:

[url]https://net.pbz.hr/cgi-bin/inetbank/login

It works with v7.54.

It works with v7.60 only if TLS 1.1 is disabled.

Yeah! Got one.
My other bank, www.vancity.com (banking at [url]https://directnet.vancity.com/direct/login.jsp?inst=/bc/vancity) works great in 7.6 though. But yet again they are a good bank, coding to the stabdards and designing with CSS!

On to the next site...

got one too!
from [url]http://www.ibm.com/education/us/, unable to go to [url]http://www.ibm.com/easyaccess/hied (Buy->higher Education) iwth TLS1.1. TLS1.1 disabled is ok.

EDIT : the link is a http but you end up with this error message : [url]https://www-1.ibm.com/gold/portal/servlet/gold/hied/Welcome/WideOpenSwitchProtocolParam_XaYbZc
bash: [url]https://www-1.ibm.com/gold/portal/servlet/gold/hied/Welcome/WideOpenSwitchProtocolParam_XaYbZc: No such file or directory

[url]https://www.fortisbanking.be/

Opera 7.60 P1 crashes if TLS 1 and/or 1.1 are enabled. First Opera tries to download an octet/stream, it can't connect, and if you try again, it crashes.

[url]https://www.kbc.be/

Same as above, but you have to try a couple of time untill it crashes...

[url]https://www.knbanking.be/

Crashes if TLS 1 and/or 1.1 are enabled. First Opera can't connect and if you try again, it crashes.

[url]http://www1.ingdirect.fr/general?KEYWORD=INDEX_CLIENT
could not connect to remnote server with tls1.1 and tls1

[url]https://demo.hivemail.com/

With TLS 1(.1) enabled, Opera crashes instantly.

Crash with TLS 1 and/or 1.1: [url]https://secure.itsamac.com/

Again: crash with TLS 1(.1): [url]https://giggle.berkeley.edu/

"Six oughta do it, don't you think? Do you think we need one more? You think we need one more? Alright, we'll get one more."

[url]https://ebanking.bgl.lu/fr/bgl/Main.html
works only with ssl3 (tls1.1 and tls1.0 give a could not connect to server error)

Can't connect with TLS 1(.1), but doesn't crash: [url]https://secure.us.com/

There was something at this link, but apparently it's dead now. But that doesn't matter, Opera with TLS 1(.1) enabled can't connect to [url]https://cert.oasis.telenet.be/

No go for [url]https://axess.stanford.edu/ either with TLS 1(.1).

Can't connect, but doesn't crash with TLS 1(.1): [url]https://www.nedlinux.nl/

[url]https://ssol.columbia.edu/
doesn't work with tls1.1, tls1.0 is ok

Originally posted by rObkE
[url]https://www.knbanking.be/

Well, well, well. That's a first.

Congratulations, you just found the first Type C server: Accepts TLS 1.1, but refuses to accept TLS extensions.

No crash, though.

Originally posted by lukefab
[url]http://www1.ingdirect.fr/general?KEYWORD=INDEX_CLIENT

The IngDirect site was already known.

Originally posted by rObkE
[url]https://demo.hivemail.com/

No crash. Server apparently got a HTTP server, not a HTTPS server on the 443 port. That is a server configuration problem.

Originally posted by rObkE
Crash with TLS 1 and/or 1.1: [url]https://secure.itsamac.com/

No crash. Site is using 40 bit encryption, which is disabled by default in 7.60 as it is just too unsecure these days. Looks like something happened to the SSL error dialogs, they've gone missing.

Originally posted by yngve
The IngDirect site was already known.

arrh, you're right

Originally posted by rObkE
Again: crash with TLS 1(.1): [url]https://giggle.berkeley.edu/

No crash. Another badly configured server: Looks like there is a HTTP not a HTTPS server on port 443.

Originally posted by yngve
Well, well, well. That's a first.

Congratulations, you just found the first Type C server: Accepts TLS 1.1, but refuses to accept TLS extensions.

Cool, does that count for 5?

No crash, though.

Do they _have_ to crash to count for a failing site?

Originally posted by rObkE
Can't connect, but doesn't crash with TLS 1(.1): [url]https://www.nedlinux.nl/

Is there anything at all at that server? v7.54 and IE isn't able to connect to that site either. When only SSL v2 is used the server never responds.

I am not able to classify this as anything, sorry.

Originally posted by rObkE
Cool, does that coun't for 5?

Sorry, no.

Do they _have_ to crash to count for a failing site?

No, it is just connection failures we're looking for.

Additions to list of confirmed sites

As the forumsoftware has been so inconsiderate as to lock me out of the primary post because "it is too old" here is the list of new additions to the confirmed list.

There is a new classification, "Type C", that accepts connections from a TLS 1.1 client, but not connections from clients supporting TLS Extensions. I'll add a sample email for this case later.

The new additiones

• www-1.ibm.com (lukefab) Type A
  
• www.fortisbanking.be (rObkE) Type B
  
• www.kbc.be (rObkE) Type A
  
• www.knbanking.be (rObkE) Type C
  
• ebanking.bgl.lu (lukefab) Type B
  
• secure.us.com (rObkE) Type B
  
• cert.oasis.telenet.be (rObkE) Type A
  
• axess.stanford.edu (rObkE) Type A
  
• ssol.columbia.edu (lukefab) Type A
  

[url]https://student.rug.nl/ crashes with TLS 1.1.
[url]https://uddi.ibm.com/ubr/registry.html can't connect with TLS 1.1 enabled.
[url]https://manager.verisign.com/: can't connect with TLS 1/1.1.

BTW, the crashes I reported (on the sites that are not badly configured) only seem to happen at random. Same with [url]https://manager.verisign.com/. Sometimes a download window pops up, sometimes it makes Opera crash...

[url]https://products.freessl.com/ssl/starterssl.do?ref=freessl

no tls1.1, tls1.0 ok

[url]https://products.geotrust.com/geocenter/reseller/logon.do
no tls1.1

[url]https://www.swetswise.com/ doesn't work with TLS 1.1.

One more: my ISP account settings...

[url]https://services.telenet.be/ ([url]https://services.telenet.be/isps/MainServlet) fails with TLS 1.1.

Lucky for me I'm switching ISP's next month...

[url]https://www1.bmo.com/cgi-bin/netbnx/NBmain
no tls1.1, no tls1.0

[url]https://onlinebanking.mandtbank.com/
no tls1.1 or tls1.0

[url]https://banking.uboc.com/UBOC/BankAtHome/LoginFrameset.jsp
page stalled at "setting up secure connection" with tls1.1. tls1.0 is fine.

[url]https://www2.24hour-online.ie/hb1/presign.jsp

no tls1.1, no tls1.0

[url]https://online.dollarbank.com/

no tls1.1, no tls1.0

one more bank : [url]https://e91.absa.co.za/ibs/ibs.jsp , no tls1.1, no tls1.0

[url]https://www.ebank.hsbc.com.hk/servlet/onlinehsbc?LANGTAG=en&COUNTRYTAG=US
no tls1.1, no tls1.0

[url]https://www.mon-compte.com/savoie.htm , no tls1.1, tls1.0 is fine

[url]https://www.secure.bnpparibas.net/controller?type=homeconnex , no tls1.1, no tls1.0