Tips for SSL/TLS configuration

Category: SSL
Created: 2022-07-06

TLS 1.0/1.1

The protocols TLS 1.0 and TLS 1.1 are no longer considered completely secure. While many (old) e-mail programmes still require these protocols, they can usually be deactivated on the web server (Apache/NGINX) without hesitation.

For newly created IP groups (Server Administration -> Web), TLS 1.0/1.1 is automatically disabled. You can also deactivate this subsequently for existing groups via the IP group settings.

In general, LiveConfig also supports the option of disabling TLS 1.0/1.1 for individual IP groups only. With NGINX this works always (to our knowledge), with Apache this requires at least LiveConfig 2.14.3 and at least Apache 2.4.42 (Apache Bug 55707).

Important: TLS 1.0/1.1 only works with TLS certificates with RSA keys! Certificates with ECDSA keys require at least TLS 1.2!