0

is there any real reason why I should keep TLS 1.1 enabled?

I can understand that enabling 1.0 widens compatibility, but can bring security problems if not properly configured, while according to this table https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browsers#cite_note-Android-SSLSocket-46 there is almost no browser That supports TLS 1.1 but not TLS 1.2.

even though TLS 1.1 is not broken or anything but the PRFs are mainly using SHA1 and MD5 which has its own implications and might get broken easier in the future and as I said TLS1.1 doesnt really increase compatibility.

so is there any real point for using TLS 1.1, at least on an HTTPS Server?

My1
  • 123
  • 6

1 Answers1

0

Yeah there is no real reason to have TLSv1.1 turned on since, as you point out, nearly every browser that supports 1.1 also supports 1.2.

However, there are some edge cases which might benefit from this. See here for an example: https://github.com/ssllabs/ssllabs-scan/issues/258

On the flip side, there is no downside to leaving 1.1 enabled for now since it's still secure (providing it's properly configured) so might as well leave it on IMHO.

You could also turn on TLS protocol monitoring on your site to see how if it's being used by your visitors. For Apache this is done with a custom log format: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#logformats and you can do similar with Nginx.

Barry Pollard
  • 4,591
  • 15
  • 26