I recently installed Battle.net App on my desktop (Win 11 Pro). I also have a few IIS websites running on it. I had adjusted the Protocols/Ciphers/Hashes/Key Exchanges settings (w/ Qualys SSL Labs IISCrypto) to disable insecure or weak settings. This had the side effect of preventing the app from connecting to the server. I played around with the settings to realize a few things about the servers. They do support either TLS 1.2 or 1.3, but they seem to be ONLY supporting the hash algorithm SHA-1 and/or weak ciphers based around that and TLS_RSA key exchange. I would like to suggest changing the settings to support more than SHA-1 and the weak ciphers. Leaving the old ones on for backwards compatible with older machines. (I hear you still support Windows 7 machines, which Windows 7 is 1 year (01/14/2020) past end of life.) This way security minded people like me can disable the weak/insecure ciphers and hashes and still connect to the servers and play the games. The only reason not to would be if these ciphers are coded into the app instead of handing them over to operating system, which is bad programming practices.
Just ran into this too, appreciate having another person concerned about it… hopefully they fix in next cycle if possible.
I am posting here because I had the exact same thing happen to me and support told me to respond, specifically : " If you have any suggestions or feedback about these SSL requirements though, you can definitely provide that on the Blizzard app forums. You can find a similar discussion on the SSL ciphers here:". TBH I am not sure why the WoW login / Battle.net login still supports TLS 1.0 and 1.1 and not modern ssl ciphers. FWIW, you can disable TLS 1.0 / 1.1 and leave TLS 1.2 enabled, or just use IISCrypto’s best practice template, then tick off TLS 1/1.1
What server(s) are supporting the SHA1 hash algorithm?
I did a quick check against us.battle.net and see TLS1.2 supported for these Cipher suites:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS|256|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS|128|
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits FS|256|
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS|128|
TLS 1.1 does use SHA1 and looks to be there just for legacy.
Perhaps the issue is the client? I briefly looked at the temporary storage and it appears to be using some form of a Chromium-based engine.
I can only assume if the reports are true, the client is trying to connect to other servers that may not be as secure. Does anyone have that information?
These ciphers are only used to authenticate against battle.net The actually communication that the client uses is still only SHA-1 based with older TLS.