Skip to main content

Fix Guides

How to Disable Outdated TLS Versions (1.0 & 1.1)

Support only TLS 1.2 and 1.3 — drop protocols attackers can downgrade to.

Quick fix

To fix outdated TLS, disable SSL 3.0, TLS 1.0 and TLS 1.1 on your server or CDN — enable only TLS 1.2 and TLS 1.3 with strong cipher suites. Test with SSL Labs, then verify your site still loads in modern browsers.

TLS 1.0 and 1.1 are deprecated and vulnerable to known attacks. Browsers no longer support them by default, but servers that still accept them fail security audits and allow downgrade attacks. Enabling only TLS 1.2+ closes the gap.

Check your website

See how your site handles how to disable outdated tls versions (1.0 & 1.1) — free, no account needed.

Business impact

Payment processors and enterprise customers increasingly require modern TLS. Outdated protocols fail PCI scans and penetration tests, and signal neglected infrastructure. Disabling them affects virtually no real users today — every modern browser supports TLS 1.2+.

Why this happens

TLS version negotiation happens during the HTTPS handshake. If your server accepts TLS 1.0, an attacker on the network can potentially force a downgrade to weaker encryption. PCI DSS and industry standards require TLS 1.2 minimum since 2018. TLS 1.3 (2018) is faster and more secure — enable it alongside 1.2. Test with SSL Labs or nmap --script ssl-enum-ciphers.

How to confirm the issue

Manually: run an SSL Labs test on your domain. Protocols below TLS 1.2 listed as enabled mean you need to harden.

With Plexa Trust: TLS version checks appear in advanced probes. After hardening, re-scan and run SSL Labs to confirm only 1.2/1.3 remain.

Step-by-step fix

  1. Run an SSL Labs test to see which TLS versions and ciphers are enabled.

  2. Disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 in server or CDN config.

  3. Enable TLS 1.2 and TLS 1.3 with modern cipher suites.

  4. Remove weak ciphers (RC4, 3DES, export-grade).

  5. Test your site in Chrome, Firefox and Safari after changes.

  6. Re-run SSL Labs — aim for an A or A+ rating.

Platform-specific fixes

Cloudflare

  1. SSL/TLS → Edge Certificates → Minimum TLS Version → TLS 1.2 (or 1.3).

  2. Cloudflare handles cipher selection at the edge — origin should match.

Apache (mod_ssl)

  1. SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

  2. SSLCipherSuite with ECDHE and AEAD ciphers; SSLHonorCipherOrder on

  3. Reload Apache and test with SSL Labs.

Nginx

  1. ssl_protocols TLSv1.2 TLSv1.3;

  2. ssl_prefer_server_ciphers on; use a modern ssl_ciphers string.

  3. nginx -t && reload.

IONOS / managed hosting

  1. Check hosting panel for TLS/SSL settings — many hosts default to TLS 1.2+ now.

  2. If no UI option, contact support to disable TLS 1.0/1.1 on your account.

  3. Front with Cloudflare for edge TLS control if host options are limited.

How to verify the fix

  • Support TLS 1.2 and 1.3 only — disable everything older.

  • Prefer forward-secret ECDHE cipher suites.

  • Re-test after certificate renewal or host migrations.

  • Pair with HSTS so browsers never attempt plaintext HTTP.

Common mistakes

  • Disabling TLS 1.0 on the CDN but leaving it enabled on the origin.

  • Breaking very old clients (IE10) — acceptable for virtually all sites in 2026.

  • Enabling TLS 1.3 but using weak cipher suites on TLS 1.2.

  • Not re-testing after a hosting migration.

Frequently asked questions

Which TLS versions should I support?

TLS 1.2 and TLS 1.3 only. Disable SSL 3.0, TLS 1.0 and TLS 1.1.

Will disabling TLS 1.0 break my site?

Not for any modern browser (released since ~2020). IE10 and ancient Android are the only casualties.

Is TLS the same as SSL?

TLS replaced SSL. "SSL certificate" is everyday language; the protocol in use is TLS.

How do I test TLS versions?

SSL Labs (ssllabs.com/ssltest), testssl.sh, or nmap ssl-enum-ciphers.

Does TLS 1.3 replace the need for HSTS?

No — they solve different problems. TLS 1.3 secures connections; HSTS prevents downgrade to HTTP.

What about PCI DSS?

PCI requires TLS 1.2+ since mid-2018. TLS 1.0/1.1 fail compliance scans.

Cloudflare hides my origin TLS — is that enough?

Visitors to Cloudflare see modern TLS, but harden origin too — direct IP access could otherwise use weak protocols.

How do I confirm the fix?

SSL Labs should show only TLS 1.2 and 1.3 enabled. Re-scan with Plexa Trust.

Think you've fixed it?

Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.

Verify with a free scan

Upgrade to Pro for monitoring