19-Oct-2021 06:55
Our Security Team has requested that we enable support for TLS 1.2 and TLS 1.3 and disable support for TLS 1.0. I am looking at our client ssl profile and it currently has the following as Enabled Options : Don't insert empty fragments, No SSL, No TLSv1.3 and No SSLv3. Should I remove No TLSv1.3 and add No TLSv1? Would that accomplish what our Security Team is looking to do?
19-Oct-2021 11:34
For the enabled options, you can do:
Don't insert empty fragments, No TLSv1, No TLSv1.1, No SSLv2 and No SSLv3 (if that one's listed).
Also, if No TLSv1.3 is there, then remove it. Once you're finished, you can check the site cert (if it's accessible from off-site) via ssllabs.com - you can run a check/report there which will give you a score.
Note that your cert security is not just enabled/disabled TLS, SSL, etc. The ciphers you allow/disallow matter as well. You can try "DEFAULT:!3DES:!DHE:!RC4:!RSA:@STRENGTH" (the @STRENGTH will begin cipher negotiation with the strongest and proceed to the weakest). The downside can be backend servers/apps that don't play well with newer ciphers so, like they say, "your mileage may vary."
This page has some useful info regarding SSL/TLS Best Practices:
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
Good Luck!
Alan
19-Oct-2021 11:48
Thank you. I will try this out.