Cirrus
CirrocumulusFor the enabled options, you can do:
Don't insert empty fragments, No TLSv1, No TLSv1.1, No SSLv2 and No SSLv3 (if that one's listed).
Also, if No TLSv1.3 is there, then remove it. Once you're finished, you can check the site cert (if it's accessible from off-site) via ssllabs.com - you can run a check/report there which will give you a score.
Note that your cert security is not just enabled/disabled TLS, SSL, etc. The ciphers you allow/disallow matter as well. You can try "DEFAULT:!3DES:!DHE:!RC4:!RSA:@STRENGTH" (the @STRENGTH will begin cipher negotiation with the strongest and proceed to the weakest). The downside can be backend servers/apps that don't play well with newer ciphers so, like they say, "your mileage may vary."
This page has some useful info regarding SSL/TLS Best Practices:
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
Good Luck!
Alan
CirrusThank you. I will try this out.