I'm setting up an server, the default configurations allow for connections with deprecated TLS versions. Should I remove deprecated TLS versions from my server? What is the difference between a deprecated and insecure algorithm?
-
All the answers seem to focus on HTTPS services, probably because you have tagged `web-application` and `apache`. It is worth mentioning that TLS is used for lot more, and the reasoning would be a bit different for mail servers. Here's also a related answer for web servers, because TLS before 1.3 depends greatly on the cipher suites enabled: https://security.stackexchange.com/a/210167/70406 – Esa Jokinen May 22 '22 at 07:08
3 Answers
It depends on the clients that you expect to be connecting to your server. If you are fairly sure that most/all of the clients will be modern up-to-date web browsers, then it's safe to enable only TLS 1.3, as TLS 1.3 is supported by all of the major browsers at this point. But, if some of your clients will be connecting using older tools (such as older versions of wget
, curl
, the python requests
library, etc.), then you may need to enable older version of TLS. This may be the case if you are running an API endpoint on your server.
- 19,868
- 2
- 45
- 64
-
3IMHO there is little reason to coddle to the old tool use cases on a new deployment, they by definition come from at the very least power users that can upgrade their tooling. It's a completely different proposition to possibly break a working workflow OTOH. – Bruno Rohée May 20 '22 at 16:57
They most often have been deprecated because they are undeniably insecure, or might be insecure in some configuration. RFC 7568 and RFC 8989 explains at length why SSLv3, TLS 1.0 and 1.1 got deprecated.
On a new deployment you have no fear of breaking existing functionality for anyone, so it makes sense to not support anything remotely dodgy, as no one can honestly claims to be inconvenienced.
It is often recommended that one uses something like the Mozilla SSL Configuration Generator in either the Modern or Intermediate setting to generate a configuration both secure and well interoperable.
- 5,221
- 28
- 39
You should disable versions of TLS older than TLS 1.2 and all versions of SSL. RFC 7568 states that you MUST NOT use SSLv3, and RFC 8989 states that you MUST NOT use TLS 1.0 or 1.1. The latter is a Best Current Practice, and it would be irresponsible to violate it.
The reason is that all of those versions rely on MD5 and SHA-1, both of which are known to be broken. In addition, the only ciphers available are RC4, which is broken, and block ciphers in CBC mode using MAC-then-encrypt, which requires careful verification of padding to avoid timing attacks. It is possible to securely use the CBC mode ciphers if your TLS library extremely carefully checks padding, but MAC-then-encrypt is widely considered a mistake in modern cryptographic design.
In addition, if you are subject to certain types of regulation, such as the PCI standards for sites that accept and process credit cards, you will absolutely be forbidden from using TLS 1.1 or older. As a consequence, most major sites on the Internet no longer support these versions. Users who use a browser or user-agent which doesn't at least support TLS 1.2 basically can't access most web sites, and as a result, there are very few such users still around, so there are almost no benefits to doing so.
TLS 1.2 and TLS 1.3 are required for HTTP/2 to be enabled. Both versions provide modern AEAD algorithms which are both secure and extremely fast (much more so than the legacy TLS cipher suites), and combined with the ability to use HTTP/2, can result in substantially improved performance.
As Bruno Rohée recommended, the Mozilla SSL Configuration Generator is highly recommended. In addition, Mozilla makes recommendations on SSH algorithms as well, so you may want to follow those if you'll have an SSH server.
- 7,828
- 16
- 15