TLS 1.0 and 1.1 are deprecated; use 1.2 or 1.3. Configure strong ciphers and disable SSLv3 and older. Test with SSL Labs; enable HSTS. Keep certificates and libraries updated.
TLS versions
- TLS 1.2 and 1.3: Current standards. TLS 1.3 is faster (1-RTT handshake) and drops legacy options. Prefer 1.3 where supported; allow 1.2 for older clients.
- TLS 1.0 / 1.1: Deprecated and disabled by many browsers and compliance (e.g. PCI-DSS). Do not enable.
- SSLv3 and below: Insecure; disable everywhere.
Ciphers
- Strong ciphers: Prefer AEAD (e.g. AES-GCM, ChaCha20-Poly1305); avoid NULL, export, or weak ciphers. Let the server prefer the strongest both sides support.
- Config: In nginx, Apache, or your app, set ssl_protocols and ssl_ciphers (or equivalent). Mozilla SSL Config Generator is a good reference.
- Libraries: Keep OpenSSL or other TLS libraries updated so you get security fixes and modern cipher support.
Testing and HSTS
- SSL Labs: Run your domain through ssllabs.com to check protocol and cipher configuration, certificate chain, and common issues.
- HSTS: Enable Strict-Transport-Security so browsers use HTTPS only. Start with a short max-age and increase once stable.
- Certificates: Renew before expiry (automate with Let's Encrypt or provider); use a valid chain.
Summary
Use TLS 1.2/1.3 only; configure strong ciphers; disable SSLv3 and old TLS. Test with SSL Labs; enable HSTS; keep certs and libraries updated.
