SSL Labs showing TLS 1.0 while disabled


#1

I’m trying to do the same (disable TLS 1.0 for PCI compliance). The “Crypto” table shows Minimum TLS version = TLS 1.1, however SSL labs still reports TLS 1.0 is enabled and working.

What am I missing?


How do I disable TLS 1.0
#2

I for sure know that setting it to 1.2 works. I have I set up that way.

Now my question is how much time has passed since the change was made? It could be it’s not completely instant.

I would also recommend setting straight to TLS 1.2 as PCI recommends it anyway (https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls) and there is less than 0.1% of the users worldwide that support TLS 1.1 and not 1.2.


#3

Good point @Matteo on TLS 1.2 vs 1.1. I just looked at the reporting, I think the move to 1.2 would be safe for our users.

It still doesn’t answer why the setting isn’t actually working for us though. This has been set at 1.1 for quite some time (weeks or months).

Any other ideas?


#4

Would you mind disclosing the domain name?


#5

Sure thing, it’s MilkStork.com


#6

Try doing a thing for me. Set it back to 1.0 or up to 1.2, wait a bit (an hour or so) and then lower it again.

If you put it to 1.2 try the test again as well. Maybe the setting never got pushed for some strange reason. Then we can bother @cloonan trying to understand this :stuck_out_tongue_winking_eye:


#7

Will do. Thanks @Matteo!!


#8

Ok, @Matteo, this is where it get’s a little bizarre. I’ve changed the setting to set the minimum to TLS 1.2. SSL Labs is reporting that TLS 1.1 is disable, but TLS 1.0 is still enabled??


#9

Mmm currently on my mobile, can’t test much, but can someone (you or @cloonan) test with TLS 1.0 directly? Maybe an issue with SSL Labs


#10

Good call @Matteo! I pulled down https://github.com/drwetter/testssl.sh and ran a test. The quick version, it looks like an SSL Labs issue.

It’s showing:
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK) : final
NPN/SPDY h2, http/1.1 (advertised)
ALPN/HTTP2 h2, http/1.1 (offered)

Thanks for your help!

Nick


#11

I hope this will help

The "Minimum TLS Version" setting does not apply to Universal SSL on Pro domains because they share the IP space with other domains. This mean any changes to Universal SSL will affect other customer that did not opt in to disable TLS 1.0.

In order to disable TLS 1.0, you have the following option:

1.) Purchase a dedicated certificate then disable Universal SSL. This allows you to control the minimum TLS version as the certificate is dedicated to your zone.

2.) Upgrade to our Business plan. Business plan IP space is not shared with other zone, allowing you to control the minimum TLS of the Universal certificate.

3.) Use Cloudflare Workers to deny TLS 1.0 request. This allows granular control over which TLS version and cipher you want to allow.
ref: https://developers.cloudflare.com/workers/about/how-workers-work/
https://developers.cloudflare.com/workers/recipes/tls-version-blocking/


How do I disable TLS 1.0
#12

It works for me.

https://www.ssllabs.com/ssltest/analyze.html?d=mattnordhoff.net&hideResults=on

Shared IP addresses don’t have to be an issue when using SNI. The server learns the client’s desired TLS version and hostname at the same time, so it can make decisions taking them both into account.

(Session resumption is a complication.)

Most normal web servers may or may not allow fine-grained settings like that, but Cloudflare’s stack probably does, or they patched it to.