http.sys & ssl on ssllabs get C rating (vulnerable)

[magosk]

After changing one of my applications to use http.sys, the ssllabs rating went from A to C (vulnerable). Any idea why is this and what settings I have to make to get a better rating?

Well, it seems that I always find the answer after I post my question here :-)

This article explains what changes need to be made to get an A rating. You can also run the Powershell script from the article and it does all the changes. Now the mission for A+ rating begins.

I have worked a bit with optimizing SSL security, both with IntraWeb standalone (A+) and with a .NET service using the same built-in SSL security as IIS (A). Windows built-in security level can be crappy by default (especially in older OS versions) and needs to be optimized with regards to ciphers. I used a free tool  called "IIS Crypto" that probably does something similar as the PowerShell script you mention. At least historically, a drawback of using Windows built-in security was that it does not receive security updates when the OS gets older. For example, when we still had some Win2003 servers out there with our software installed (no longer supported, thankfully...), we could maintain A+ rating for our IW web applications simply by updating OpenSSL and adjusting cipher configuration, but could not get higher than C for the .NET service (due to TLS 1.2 not being supported).