I'm setting up a new host on Cloudflare and noticed that all TLS versions from 1.0 and up are enabled by default. Since almost all modern browsers support TLS 1.3, I'm curious if there's any actual reason to keep the older versions (1.0, 1.1, 1.2) enabled?
5 Answers
Not really. TLS 1.0 and 1.1 should be disabled by now. TLS 1.2 is mainly for older clients that don’t support the newer standards. It's best to keep only 1.2 and 1.3 active if you can.
If you're in a regulated environment, like PCI DSS, you need to disable versions earlier than 1.2 for compliance anyway. Keeping older versions isn't a good idea from an audit standpoint either.
One thing to consider is that TLS 1.2 still allows for traffic inspection more easily than TLS 1.3, which complicates things for organizations that need to inspect traffic for security reasons. If your industry relies on that, you may need to come up with a new plan for how to handle TLS 1.3 traffic, maybe by utilizing endpoint software.
I get what you're saying, but it's worth noting that while passive inspection becomes tougher, full interception through a proxy still works as long as you're managing trust correctly.
Older applications, especially in specialized industries, often still operate on TLS 1.0 or are dependent on 1.2. Some businesses have to keep legacy systems running for legal reasons, so while it’s best practice to use the latest, real-world use cases often complicate that.
For sure! Implementing a proxy in front of those legacy systems can help bridge the gap, allowing them to operate securely without needing to update everything.
For personal setups, if you control the clients, you can likely stick with just 1.3. But on public websites, I'd still recommend having TLS 1.2 enabled, since not all servers can handle 1.3 yet. It’s a mixed bag out there with legacy systems still floating around.
True, just to clarify, PCI-DSS prohibits TLS versions less than 1.2, but it doesn't demand that you stick strictly to 1.2 if 1.3 is available.