5

I'm getting mixed statements. Is TLS 1.0 not recommended, not supported, or out of compliance? What if you have 1.2 disabled and 1.0 enabled?

I understand SSL is out, but is TLS 1.0 as well?

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
stephen
  • 51
  • 1
  • 1
  • 2

4 Answers4

2

Is TLS 1.0 not recommended, not supported, or out of compliant?

TLS 1.0 is still supported, but generally not recommended if you can avoid the need to support older clients. This entirely depends on your clients, your setup, and your business or personal needs. There are some considerations for upcoming PCI compliance having to disable support for TLS 1.0 as well.

What if you have 1.2 disabled and 1.0 enabled?

TLS 1.0 can be suceptible to a number of attacks if not mitigated by server nor client, such as BEAST.

2

My general recommendation is that if you're serving general public, then you should keep it. If you're serving internal company or personal sites, where you have some control over the client browser, then you may opt to remove it and require higher TLS version if you no longer have any systems that still relies on an older clients that doesn't support a higher version and which for any reasons you can't upgrade to a newer version.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
2

If you do disable support for TLS1.0, you'll have plenty of company. The payment card industry (PCI) has mandated sites that accept credit card payments to phase out support for TLSv1.0. Soon, all sites that accept card information will be required to support TLSv1.1 or higher.

Without question, there are still a fair number of users that are using older browsers that do not support TLS1.0. But these users are sure to find that they are unable to connect to a quickly growing number of sites (among yours, if you decide to disable TLS1.0), and will be compelled to upgrade to a newer browser sooner rather than later.

See this Wikipedia page for a good reference on SSL/TLS protocols supported by various browsers.

mti2935
  • 19,868
  • 2
  • 45
  • 64
0

TLS 1.0 is on the way out, but it's difficult to justify turning it off completely due to legacy browsers not supporting TLS 1.1 out of the box. This largely means IE 7-10 on Windows 7 won't work if you disable TLS 1.0. IE 8-10 support TLS 1.1, but it needs to be specifically turned on, and is disabled by default.

If you're lucky enough to not care about IE 7-10 (or any other legacy browsers/clients that don't support TLS 1.1), then feel free to turn it off.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76