As someone maintaining my own web server, I often use various tools to determine if things are good. As web servers are not my daily job, I found that is the only way to save both sanity and time.
One of the most helpful tools comes courtesy of SSL Labs. Their SSL/TLS test suite is both simple to use and full of really good data. While getting a good score doesn't guarantee everything is secure, it shows you are doing at least some things right.
As of Jan 31st 2020, SSL Labs decided to cap grade to B for lower TLS (1.0 and 1.1) protocols. That means even if your server was a class star until then, starting February it got relegated to a B league. Totally unacceptable!
Fortunately, if you are using Apache, change is easy:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
With this adjustment your server can enjoy A+ again.
PS: Cost? Say goodbye to Android 4.3, Windows Phone 8, Java 7, Safari 6, and Internet Explorer on Windows 7. For me personally all things I can live without.
PPS: If you want to disable some algorithms manually, a table mapping between OpenSSL and IANA names will be most useful.
PPPS: For curious, here are my TLS definitions for Apache:
SSLProtocol "TLSv1.3" "+TLSv1.2"
SSLCipherSuite "TLSv1.3" "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
SSLCipherSuite "HIGH -MEDIUM !LOW !aNULL !MD5 !3DES !AES128 !ARIA128 !CAMELLIA !RSA"
SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1
SSLOpenSSLConfCmd ECDHParameters secp384r1
One thought to “The Cost of A+”
Since all the modern and just old browser supports TLS 1.3, in some days we can remove the SSL Protocol TLS 1.2. It is up to you what you are running.