Some PCI scanners are instructing their customers to disable TLS 1.0 for PCI compliance. This is because it is possible TLS 1.0 will be considered insecure in a few years even though it is not currently considered insecure.
According to the organization that sets the PCI standards, existing applications have until June 2018 to stop supporting TLS 1.0. New applications are not supposed to support TLS 1.0.
Unfortunately, even if you don't truly need to disable TLS 1.0 for actual PCI compliance, most PCI scanning companies will not help you understand in what situations PCI compliance applies to you and your business. As a result, you may be or feel forced to comply with incorrect recommendations.
In short, you probably should not disable TLS 1.0, but if that's the only way to satisfy a PCI scanner you are required to use, the instructions below will show you how.
It is not possible to disable TLS 1.0 for only a single app on a server. If you need to disable TLS 1.0, you'll need to disable it for all apps.
If disabling TLS 1.0 for an entire server is not an option but you must disable it for a single app, you will need to move that app to its own server.
To disable TLS 1.0 on a server, SSH in to your server as root and run these commands:
echo "ssl_protocols TLSv1.1 TLSv1.2;" > /etc/nginx-sp/http.d/disable_tls1.0.conf sudo service nginx-sp restart
After following the instructions above, you can verify TLS 1.0 is disabled by using the SSL Server Test from SSL Labs.