Share via

If I have client with TLS1.0, 1.1, and 1.2 all enabled can I just leave it how it is or should I disable 1.0 and 1.1?

Matt Brossette 40 Reputation points
2024-10-23T14:12:06.22+00:00

I know I need my clients to have TLS1.2 enabled at a minimum, but will leaving 1.0 or 1.1 enabled cause any issues or should I just disable them and restart the VMs?

Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,542 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,201 questions
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments
Accepted answer
  1. Hari Babu Vattepally 3,345 Reputation points Microsoft External Staff Moderator
    2024-10-23T18:36:40.64+00:00

    Hi @Matt Brossette

    Thanks for using Microsoft Q&A Forum and posting your query here.

    Yes, it recommended to disable TLS 1.0 and 1.1 and only enable TLS 1.2 for security reasons. TLS 1.0 and 1.1 are considered less secure and have known vulnerabilities that can be exploited. Once you've disabled the older protocols, restarting your VMs would be a good step to apply the changes.

    Additionally:

    You can check if your clients and applications support TLS 1.2 by testing them against a TLS 1.2-only endpoint. If your clients and applications are able to connect to the endpoint successfully, then they support TLS 1.2, and you can safely disable TLS 1.0 and 1.1

    To maintain a secure environment, it is advisable to disable TLS 1.0 and 1.1 and ensure that all clients and servers are configured to use TLS 1.2 or later.

    Please let us know if you have any further queries. I’m happy to assist you further. 

    Hope this Answers your query. Please do "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Aditya Yadav 5 Reputation points
    2024-10-23T19:16:32.84+00:00

    It's highly recommended to disable TLS 1.0 and TLS 1.1 if your clients support TLS 1.2, as both TLS 1.0 and TLS 1.1 have known vulnerabilities and are considered outdated by modern security standards. Continuing to leave these versions enabled could expose your systems to potential security risks, such as downgrade attacks, where an attacker forces a connection to use a weaker protocol like TLS 1.0 or 1.1, which could lead to compromised security.

    Reasons to disable TLS 1.0 and 1.1:

    • Security Vulnerabilities: These versions have several known weaknesses, such as POODLE and BEAST attacks.
    • Compliance: Many industry standards (like PCI-DSS) now require the use of TLS 1.2 or higher to remain compliant.
    • Best Practices: Most modern applications and systems default to TLS 1.2 or higher, and it's a best practice to minimize the attack surface by disabling older protocols.

    Action Steps:

    1. Ensure that all clients and services are fully capable of using TLS 1.2 or TLS 1.3.
    2. Disable TLS 1.0 and 1.1 by configuring the system settings or registry (depending on the platform).
    3. Restart the VMs after applying the changes to enforce the new settings.

    This will strengthen the security of your infrastructure while maintaining compatibility with TLS 1.2.It's highly recommended to disable TLS 1.0 and TLS 1.1 if your clients support TLS 1.2, as both TLS 1.0 and TLS 1.1 have known vulnerabilities and are considered outdated by modern security standards. Continuing to leave these versions enabled could expose your systems to potential security risks, such as downgrade attacks, where an attacker forces a connection to use a weaker protocol like TLS 1.0 or 1.1, which could lead to compromised security.

    Reasons to disable TLS 1.0 and 1.1:

    • Security Vulnerabilities: These versions have several known weaknesses, such as POODLE and BEAST attacks.
    • Compliance: Many industry standards (like PCI-DSS) now require the use of TLS 1.2 or higher to remain compliant.
    • Best Practices: Most modern applications and systems default to TLS 1.2 or higher, and it's a best practice to minimize the attack surface by disabling older protocols.

    Action Steps:

    1. Ensure that all clients and services are fully capable of using TLS 1.2 or TLS 1.3.
    2. Disable TLS 1.0 and 1.1 by configuring the system settings or registry (depending on the platform).
    3. Restart the VMs after applying the changes to enforce the new settings.

    This will strengthen the security of your infrastructure while maintaining compatibility with TLS 1.2.

    1 person found this answer helpful.
    0 comments
  2. Michael Taylor 60,331 Reputation points
    2024-10-23T16:40:00.3733333+00:00

    If you "need to have" your clients use TLS 1.2 then the only way to enforce that is to disable 1.0/1.1. Otherwise they will be able to continue to call you using the older protocols. Also any security scans you run would flag these protocols as insecure.

    I would recommend you disable the older protocols. Whether you restart the VMs now or wait until a more convenient time is up to you. But as long as they are enabled clients can call you with the older protocols and you're "insecure".

    0 comments
  3. MRehanKhan-7645 10 Reputation points
    2024-10-25T12:16:31.4733333+00:00

    Help my device fake server attch

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.