Roots Discourse

Depreciating TLS 1.0 and 1.1


#1

When checking the SSL Labs test for my development site of late, using Trellis 1.0.0, and I noticed that the Trellis SSL/TLS configuration is still allowing TLS 1.0 and 1.1 instead of just 1.2.

With all of the major browser vendors announcing an end to TLS 1.0 and 1.1 support sometime in the next year or so, I’m thinking it might be time for Trellis to stop supporting it as well.

I notice that Trellis uses the H5BP templates for nginx configuration during server setup. I’m thinking it might be good to move to their intermediate policy config, which should be a good balance of supporting all of the major browsers under current support (Chrome, Firefox, Safari, Edge, and Internet Explorer) use TLS 1.2 and that’s what gets negotiated by the SSL Labs test.

If there is concern for supporting some range of older broswers that don’t support TLS 1.2, maybe there can be a setting somewhere to use the older depreciated template that keeps TLS 1.0 and 1.1 active.

Given that the philosophy of all of the Roots projects has been to use the best, most modern approaches to code and standards, I think this would be another step in the right direction to providing the best experience for the Wordpress world.


#2

See https://github.com/h5bp/server-configs-nginx/pull/210

Looks like we just need to update to v3?

Last update to Trellis H5BP configs was this: https://github.com/roots/trellis/pull/973


#3

Yes, this looks correct. Here is the “intermediate” policy I was referencing: