Tech TLS 1.0/1.1 being phased out by browsers in 2 months. Are you ready? - GoFuckYourself.com

rowan · 11-24-2019, 07:25 PM

There's a change coming in January 2020 which could result in problems with HTTPS sites.

https://www.entrustdatacard.com/blog...eprecating-tls

Your server needs to support at least TLS 1.2, and preferably also the current 1.3. If not, by early next year, people with modern (and updated) browsers will refuse to load your site.

If you have a HTTPS site that's a few years old, you may need to upgrade the software, or modify your config.

Wouldn't hurt to give everything a once-over anyway; my server already supported TLS 1.2, but I upgraded Apache so that I could enable TLS 1.3.

Klen · 11-25-2019, 02:56 AM

Not this shit again lol. I guess it will be enough to update package openssl ?

rowan · 11-25-2019, 05:46 AM

Quote:

Originally Posted by Klen

Not this shit again lol. I guess it will be enough to update package openssl ?

TLS 1.3 is fairly new and is officially considered "experimental", so I had to upgrade both Apache and OpenSSL.

Even though it's experimental the major browsers already support it. I saw 70%+ of IPs switch to 1.3 once I had upgraded.

It's important to note that even though modern browsers have moved to TLS 1.2/1.3 by default, there's still some oddball and obsolete browsers which only support 1.0 or 1.1. So unless you're accepting credit card or personal info - the older versions are insecure - it may be worth considering still supporting those.

rowan · 11-25-2019, 05:50 AM

Bearing in mind the caveat I mentioned above, this page shows how to move forward and cleanly negotiate only TLS 1.2+

https://tecadmin.net/enable-tls-in-modssl-and-apache/

The important line in httpd.conf is

SSLProtocol -all +TLSv1.2 +TLSv1.3

11-24-2019, 07:25 PM	#1
rowan Too lazy to set a custom title Join Date: Mar 2002 Location: Australia Posts: 17,393	TLS 1.0/1.1 being phased out by browsers in 2 months. Are you ready? There's a change coming in January 2020 which could result in problems with HTTPS sites. https://www.entrustdatacard.com/blog...eprecating-tls Your server needs to support at least TLS 1.2, and preferably also the current 1.3. If not, by early next year, people with modern (and updated) browsers will refuse to load your site. If you have a HTTPS site that's a few years old, you may need to upgrade the software, or modify your config. Wouldn't hurt to give everything a once-over anyway; my server already supported TLS 1.2, but I upgraded Apache so that I could enable TLS 1.3.

11-25-2019, 02:56 AM	#2
Klen Industry Role: Join Date: Aug 2006 Location: Little Vienna Posts: 32,235	Not this shit again lol. I guess it will be enough to update package openssl ?

11-25-2019, 05:50 AM	#4
rowan Too lazy to set a custom title Join Date: Mar 2002 Location: Australia Posts: 17,393	Bearing in mind the caveat I mentioned above, this page shows how to move forward and cleanly negotiate only TLS 1.2+ https://tecadmin.net/enable-tls-in-modssl-and-apache/ The important line in httpd.conf is SSLProtocol -all +TLSv1.2 +TLSv1.3