R.I.P. TLS 1.0 (and 1.1)
Many web servers still support the encryption protocols TLS 1.0 and TLS 1.1, although all standard browsers have long been compatible with TLS 1.2. How do you exclude legacy TLS standards on the server side and what should you pay attention to?
First of all, we need to make sure that the website still allows older TLS standards to go through. The "Qualys" scan service by SSL Labs does a good job of determining this.
According to the Payment Card Industry Data Security Standard (PCI-DSS), to maintain compliance, no earlier versions than TLS 1.1 may be used as of 30 June 2018. To be sure, you'll find sporadically a few antediluvian browsers still in use that do not support TLS 1.2. However, we can configure our servers not to connect using protocols older than TLS 1.1 (or even better: TLS 1.2).
In Apache, for instance, this can be easily implemented in the SSL settings :
SSLProtocol ALL -TLSv1 -TLSv1.1 -SSLv3
However, you have to be careful if you only want to apply these settings to individual virtual hosts under the same IP. Due to an Apache- respectively OpenSSL bug, the parent settings will overwrite those of the virtual hosts .
So what does this restriction mean for users and operators of a website?
Any browser that does not support TLS 1.2 will receive "This page can't be displayed" or a similar message with little information instead of the requested page. The server will not redirect to an error page either. The request does not even reach the server because no Handshake has taken place. This message will simply annoy the user and he may drift away to your competitors. The website operator should therefore be able to estimate how many and what type of users are excluded. After all, it is often machines that use exotic or outdated clients (e.g. for web service requests). Perhaps the pool of potential users of a website is already known and they can be actively informed before the changeover.
aspectra will be happy to advise its customers on the conversion to "TLS 1.2 only" and can also support them in analysing how many and which clients can still make do with legacy TLS. If this conversion was not carried out yet, there would be no immediate problems as yet. But beware: the next "POODLE" may be just around the corner, ready to bellow.
Bild: Vicious Poodle. (Credit: Greg Westfall/Flickr)