Compliance asks for TLS 1.3, old clients and partner APIs stick to TLS 1.2
TLS 1.3 is the recommended standard since 2018 (RFC 8446). Old versions (1.0, 1.1) are deprecated, but 1.2 is still needed for backwards compat. As of 2026: both 1.2 and 1.3 active, 1.0/1.1 off, no orphan.
Try this first
- 1On your web server (nginx, IIS, Apache): set ssl_protocols to TLSv1.2 TLSv1.3, not 1.0 or 1.1.
- 2Cipher suites: pick modern per Mozilla SSL Configuration Generator. For max compatibility 'intermediate', for strict security 'modern' (TLS 1.3 only).
- 3Test at ssllabs.com/ssltest, target A or A+. Only enable 0-RTT (early data) if you know what replay-attack impact means.
- 4For mail servers (SMTP STARTTLS, IMAPS): same rule, TLS 1.2 + 1.3, old versions off. Postfix smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1.
- 5Communicate with partners before phasing out 1.2, some old API clients (Java 7, older .NET) silently fail to connect.
When to bring us in
If you have a mix of modern and legacy clients and no view where old TLS is still active, we can inventory the TLS stack and plan a phase-out.
See also
- Domain expires tomorrow and nobody saw the emailAn expired domain doesn't transfer instantly. There's a redemption window, but you pay extra.
- Unsure whether to enable auto-renewDisabling auto-renew only makes sense for domains you'll truly drop. For anything live, just keep it on.
- New registrar asks for auth code, can't find itEPP code or transfer code is the password to move a domain from registrar A to B.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.