High SeveritySSL/TLS

Fix: TLS 1.0 or TLS 1.1 Still Enabled

Q: Why disable TLS 1.0 and 1.1 if my server still accepts them?

Both versions are vulnerable to known cryptographic attacks (BEAST, POODLE in some configurations). They're banned by PCI DSS for cardholder data, and major browsers have already removed support. Continuing to accept them risks downgrade attacks and compliance violations.

Q: Will disabling TLS 1.0/1.1 break my site for old browsers?

Only for very old browsers (IE on Windows XP/Vista, Android 4.x). Modern browsers (Chrome, Firefox, Safari, Edge — all current versions) all use TLS 1.2 or 1.3 by default. Real-world impact on traffic is < 0.1% for typical sites.

Q: Should I require TLS 1.3 only?

For most sites, TLS 1.2 minimum is the right balance. TLS 1.3-only is more secure but excludes a small percentage of older clients (some mobile apps, older Java versions). TLS 1.2 + 1.3 is broadly compatible and secure.

Your server still accepts TLS 1.0 or TLS 1.1 connections. Both are deprecated, vulnerable to several known attacks, and disallowed by PCI DSS, HIPAA, and most browser vendors.

Quick Fix

Disable TLS 1.0 and TLS 1.1 in your server configuration. Require TLS 1.2 minimum (TLS 1.3 preferred).

What This Error Means

TLS 1.0 (1999) and TLS 1.1 (2006) are obsolete protocol versions. They are vulnerable to known attacks (BEAST, POODLE in some configurations) and use weaker cipher constructions than modern versions. Major browsers (Chrome, Firefox, Safari, Edge) have removed support for them. Yet many servers still accept them by default.

Why It Matters

Continuing to accept TLS 1.0/1.1 means clients can be downgraded to a weaker protocol via MITM or misconfiguration. PCI DSS 3.2.1+ explicitly bans TLS 1.0 for cardholder data; 4.0 also bans 1.1. HIPAA and SOC 2 audits flag TLS 1.0/1.1 as a deficiency. SSL Labs caps your grade at B if 1.0/1.1 are enabled, which signals poor security hygiene to assessors.

Step-by-Step Fix

Check which protocols your server supports

Test each TLS version directly.

Example

# Test TLS 1.0:
openssl s_client -tls1 -connect yourdomain.com:443 < /dev/null
# Test TLS 1.1:
openssl s_client -tls1_1 -connect yourdomain.com:443 < /dev/null
# Test TLS 1.2:
openssl s_client -tls1_2 -connect yourdomain.com:443 < /dev/null
# Test TLS 1.3:
openssl s_client -tls1_3 -connect yourdomain.com:443 < /dev/null

Disable TLS 1.0 and TLS 1.1 in Nginx

Set ssl_protocols to only allow TLS 1.2 and TLS 1.3.

Before

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

After

ssl_protocols TLSv1.2 TLSv1.3;

Disable TLS 1.0 and TLS 1.1 in Apache

Set SSLProtocol to exclude older versions.

Before

SSLProtocol all -SSLv3

After

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

Disable on load balancers and CDN

AWS ALB, Cloudflare, and similar all expose minimum TLS version settings. Set to "TLS 1.2" minimum (Cloudflare: SSL/TLS > Edge Certificates > Minimum TLS Version).

Re-test and confirm

After reload, all TLS 1.0 and TLS 1.1 handshakes should fail. TLS 1.2 and 1.3 should succeed.

Common Gotchas

Very old clients (Windows XP IE, Android 4.x) won't connect at all once TLS 1.0/1.1 are off. For most modern services, this is acceptable — those clients are < 0.1% of traffic and have other problems.
Your origin server, CDN, and load balancer each have their own TLS settings. Disabling at one layer doesn't disable everywhere.
Some legacy enterprise software (printers, MFPs, PoS terminals) may break. Audit internal use cases before flipping the switch site-wide.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

Why disable TLS 1.0 and 1.1 if my server still accepts them?