Articles

How to Disable TLS 1.0

If you disable TLS 1.0, some browsers will not be able to access your apps over HTTPS.

See Wikipedia's table of browser TLS version compatibility to understand which browsers will not be able to access your apps over HTTPS if you disable TLS 1.0. Any browser that does not support TLS 1.1+ by default will be unable to access any apps on your server over HTTPS if you disable TLS 1.0.

Some PCI scanners are instructing their customers to disable TLS 1.0 for PCI compliance. This is because it is possible TLS 1.0 will be considered insecure in a few years even though it is not currently considered insecure.

According to the organization that sets the PCI standards, existing applications have until June 2018 to stop supporting TLS 1.0. New applications are not supposed to support TLS 1.0.

Unfortunately, even if you don't truly need to disable TLS 1.0 for actual PCI compliance, most PCI scanning companies will not help you understand in what situations PCI compliance applies to you and your business. As a result, you may be or feel forced to comply with incorrect recommendations.

In short, you probably should not disable TLS 1.0, but if that's the only way to satisfy a PCI scanner you are required to use, the instructions below will show you how.

Disabling TLS 1.0 for All Apps on a Server

It is not possible to disable TLS 1.0 for only a single app on a server. If you need to disable TLS 1.0, you'll need to disable it for all apps.

If disabling TLS 1.0 for an entire server is not an option but you must disable it for a single app, you will need to move that app to its own server.

To disable TLS 1.0 on a server, SSH in to your server as root and run these commands:

echo "ssl_protocols TLSv1.1 TLSv1.2;" > /etc/nginx-sp/http.d/disable_tls1.0.conf
sudo service nginx-sp restart

Verifying TLS 1.0 Is Disabled

After following the instructions above, you can verify TLS 1.0 is disabled by using the SSL Server Test from SSL Labs.