Legacy TLS versions still enabled
If a public endpoint still accepts TLS 1.0 or TLS 1.1, it is usually carrying compatibility debt that no longer benefits modern browsers. Most public web applications should keep TLS 1.2 and TLS 1.3 only.
What to change
- CDN or load balancerRaise the minimum TLS policy so legacy protocol versions are no longer accepted.
- Reverse proxyRemove `TLSv1` and `TLSv1.1` from the enabled protocol list in Nginx, Apache, Envoy, or HAProxy.
- Exception handlingIf a documented legacy dependency still requires an obsolete protocol, isolate it and keep that exception narrow.
Verify after change
- Probe TLS 1.0 and 1.1The endpoint should reject both handshakes.
- Retest TLS 1.2 and 1.3Modern clients should still negotiate successfully after the policy change.