Hi all,
Apologies in advance if this should be posted in a more Certbot specific forum, but I have a question about the automatic settings that CertBot deploys on a new server with Apache if you hadn’t set up any HTTPS configuration before.
At work we use CentOS, the latest version for any new servers, but I am leaving shortly and my successor may be relying on auto updates for all the Linux stuff for a little while. Our company policy is that we require any servers to score a grade of A- at minimum for our servers at Qualys SSLLabs, which looks at a website/domains HTTPS configuration and grades sites from A+ to F. Recently, Qualys announced they’re going to change their grading to reduce grades to B if they still support TLS version 1.0 and 1.1. https://blog.qualys.com/ssllabs/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols#more-25122
This will start with a warning in September and then the grade will change in March 2020. As of now, the settings CertBot provides if you allow it to configure Apache/HTTPD, is that it includes all -SSLv2 -SSLv3, which is OK for today but not for much longer. I changed this on a development server but only afterwards saw the warning not to touch the appropriate configuration file or CertBot won’t make any more updates to it. Obviously I we wouldn’t want to break the automatic update of settings, but at the same time we should want to restrict the deployment of old versions of TLS before March next year.
My question thusly is this: does the CertBot team intend to include a ban on TLS 1.0 and 1.1 in any future security/settings update?