One of the most helpful tools comes courtesy of SSL Labs. Their SSL/TLS test suite is both simple to use and full of really good data. While getting a good score doesn’t guarantee everything is secure, it shows you are doing at least some things right.
As of Jan 31st 2020, SSL Labs decided to cap grade to B for lower TLS (1.0 and 1.1) protocols. That means even if your server was a class star until then, starting February it got relegated to a B league. Totally unacceptable!
Fortunately, if you are using Apache, change is easy:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
With this adjustment your server can enjoy A+ again.
PS: Cost? Say goodbye to Android 4.3, Windows Phone 8, Java 7, Safari 6, and Internet Explorer on Windows 7. For me personally all things I can live without.
PPS: If you want to disable some algorithms manually, a table mapping between OpenSSL and IANA names will be most useful.
PPPS: For curious, here are my TLS definitions for Apache:
SSLProtocol "TLSv1.3" "+TLSv1.2"
SSLCipherSuite "TLSv1.3" "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
SSLCipherSuite "HIGH -MEDIUM !LOW !aNULL !MD5 !3DES !AES128 !ARIA128 !CAMELLIA !RSA"
SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1
SSLOpenSSLConfCmd ECDHParameters secp384r1