LUCHS.AT - System Administration - Historic Encryption Protocols disabled

Very recently we revisited the configuration of our infrastructure, did some upgrades, and put old/new settings to the test. TLS v1.0 and v1.1 is officially deprecated. The PCI Data Security Standard (PCI DSS) for safeguarding payment data recommends TLS v1.2 or higher. Version 1.0 and 1.1 won't get you a PCI certification any more. The future is here. Since TLS v1.2 dates back from 2008, it is already 10 years old. TLS v1.3 is right around the corner. Web browser support it, some SSL/TLS libraries and some servers have it enabled.

The first thing you notice when turning off TLS v1.0 and v1.1 is almost nothing. Version 1.2 is widely supported. Some web sites still haven't made the switch. When it comes to email transport, some email servers haven't progressed either. Sadly this includes a couple of Facebook MTAs (Mail Transport Agents, the email servers that do the actual transport of email messages). The servers insist on using TLS, because our servers advertise it, but they cannot agreed on a cipher algorithm. Since we do not use Facebook, this is not an issue. The same happens for a bunch of Yahoo! MTAs and the occasional newsletter distribution system. We keep monitoring the logs, but so far there is no reason not to disable TLS v1.0 and v1.1 completely.

If you want to test TLS, Firefox offers a way to restrict TLS version to specific levels. To do so you need to access about:config and look for the security.tls substring. security.tls.version.min sets the minimal level. TLS v1.0 is 1, v1.1 is 2, v1.2 is 3, and v1.3 is 4. The security.tls.version.max can be safely set to 4. If TLS v1.3 is not supported, Firefox will take the next lower version. Qualys's SSL Labs have a test for you, so you can see if it works.