SSL Google Chrome 81 deprecates TLS 1.0 and TLS 1.1 protocols in favour of TLS 1.2 & TLS 1.3.

Google plans to deprecate HTTPS usage of TLS 1.0 and TLS 1.1 protocols in favour of TLS 1.2 and TLS 1.3 in Chrome 81 and starting in Chrome 79 on January 13, 2020 will start showing HTTPS sites using TLS 1.0 and TLS 1.1 protocols as not secure. Mozilla also announced their Firefox deprecation of TLS 1.0 and TLS 1.1 by March, 2020 - as will Apple and Microsoft's products. So we have around 5 more months to go.

Centmin Mod Nginx HTTPS users can read up on TLS 1.3 at Centmin Mod Nginx HTTP/2 HTTPS TLS 1.3 Support.

• Chrome details warnings ahead of legacy TLS deprecation - 9to5Google
• Chromium Blog: Chrome UI for Deprecating Legacy TLS Versions

Currently, Centmin Mod 123.09beta01 configures the HTTPS SSL protocols used via a Nginx include file at /usr/local/nginx/conf/ssl_include.conf placed in each generated Nginx vhost config file at /usr/local/nginx/conf/conf.d/yourdomain.com.ssl.conf.

The base template for /usr/local/nginx/conf/ssl_include.conf include file is

Code (Text):

ssl_session_cache      shared:SSL:10m;
ssl_session_timeout    60m;
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;

which then gets dynamically configured for TLSv1.3 if the detected Nginx crypto library it is built against (OpenSSL, LibreSSL, BoringSSL, BoringSSL/Quiche) has TLSv1.3 support. OpenSSL 1.1.1+ and BoringSSL are only ones supporting TLSv1.3 right now.

Centmin Mod 123.09beta01 Nginx defaults to being built against OpenSSL 1.1.1 so TLSv1.3 support would mean include file /usr/local/nginx/conf/ssl_include.conf automatically gets changed to the following on centmin.sh menu option 4 runs when upgrading/downgrading or recompiling Nginx server.

Code (Text):

ssl_session_cache      shared:SSL:10m;
ssl_session_timeout    60m;
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

Now the question is when should Centmin Mod 123.09beta01 and newer start defaulting to removing TLSv1 (TLS 1.0) and TLSv1.1 (TLS 1.1) from the default install templates so they just become. Apple, Google, Microsoft and Mozilla will all deprecate TLS 1.0 and TLS 1.1 by 2020 next year it seems.

Code (Text):

ssl_session_cache      shared:SSL:10m;
ssl_session_timeout    60m;
ssl_protocols  TLSv1.2 TLSv1.3;

You can actually configure custom Nginx logging if you are behind or not behind Cloudflare as outlined at Cloudflare - Cloudflare custom Nginx logging to get your profile of SSL protocol usage to see what you are serving to visitors.

Example for one of my sites behind Cloudflare I am serving to CF edge the following since CF edge supports TLS 1.3 communication to Centmin Mod Nginx origin backends when using Cloudflare Full or Full Strict SSL. But not all clients/browsers support TLSv1.3 so you can see TLSv1.2 usage too i.e. Cloudflare Railgun which I use is over TLSv1.2 as well.

Code (Text):

pzcat -f cfssl-access.log{,-*} | grep -v 'SERVER_IP' | awk '{n = 2; for (--n; n >= 0; n--){ printf "%s\t",$(NF-n)} print ""}' | sort | uniq -c | sort -rn | head -n20 | column -t
299277  TLSv1.3  TLS_AES_256_GCM_SHA384
192104  TLSv1.2  ECDHE-ECDSA-CHACHA20-POLY1305
77871   TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384
58      -        -
39      TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256
6       TLSv1    ECDHE-ECDSA-AES128-SHA
3       TLSv1.1  ECDHE-ECDSA-AES128-SHA

If you weren't behind Cloudflare or a reverse proxy like Incapsula or Sucuri WAF proxy, then the stats logged would be for direct visitors you serve.

Cloudflare has TLS minimum version setting for users which defaults to TLS 1.0, though I set it to TLS 1.2 minimum myself which is recommended.




With that said I am thinking Centmin Mod should be end of December 2019, set TLSv1.2 as minimum SSL protocol to use in it's include file. What do folks think ? The argument is some sites have visitors using older browser clients which don't support TLSv1.2 but then they will be very old according to stats at Can I use... Support tables for HTML5, CSS3, etc and Can I use... Support tables for HTML5, CSS3, etc

---

 

Use Google Analytics to break down traffic by browser and usage (session time) to see if those are real users of crawler/bots etc Centmin Mod Premium users have access to private premium members forum which also has a sticky thread for custom Google Analytics Dashboards to break down browser traffic too.

Example below of Premium member's Google Analytics custom dashboard available





and

 

Yes modern HTTPS recommends TLSv1.2 and TLSv1.3 which is what I enabled for this forum via Cloudflare TLS protocol settings