How can i enable TLS1.0&1.1?


#1

hi everyone
i use Let’s Encrypt SSL in my site: https://pccloob.ir
i enable it from my host.but the TLS 1.0 & 1.1 is not enabled and my app dont work in android < 4.4
i want enable TLS 1.0 & 1.1 so my app work in android < 4.4 too.
please help me.
thanks


#2

Protocol setting are controlled by the web service (not the certificate used).
Your web server/service should probably have a configuration file that can be modified to include/exclude protocols and ciphers, etc.

[edit]
Or in the case of LightSpeed, perhaps a management/admin area something like:
http://internal.ip:7080/


#3

so,i should contact with my host manager?


#4

If you have “root” access, you can “manage” it yourself.
It you have access to a cPanel (or such) for it, you might be able to make the necessary changes.
If you are unsure about anything, yes, I would first talk with the hosting company about where/how to best make such changes.


#5

i have cpanel access.
SSL/TLS
SSL/TLS Status
Lets Encrypt™ SSL
how can enable TLS 1.0 & 1.1?


#6

You should ask your hosting provider first.


#8

please tell me what i do?
i contact my hosting provider and tell them.
what i tell them exactly?


#9

Tell them exactly the same that you told us here.
“How can I enable TLS1.0&1.1?”
“I want enable TLS 1.0 & 1.1 so my app works in android < 4.4”


#10

i ask him but they said : we can not enable it. because you are in the Shared Host. if you want do this must buy dedicated server.
:sob:


#11

If you have access to any other Internet connected server that has TLS1.0 or TLS1.1 enabled, maybe you can use that one to proxy to this one.

Otherwise, you may need to change to dedicated server or change hosting company.


#12

no i dont have.
hosting manager said : i have to buy premium ssl. in premium ssl there is no problem with tls 1.0 and 1.1
but in free ssl there is problem.
is that true?


#13

There’s no technical requirement.

Your host is choosing to do this for business reasons, or because it’s convenient with their software.


#14

The other possible reason is that some sites that accept credit cards were told to disable it due to an industry requirement (because it’s considered obsolete). So, if this host has other customers who are subject to that rule, it might have disabled these protocol versions because that’s what the other customers want due to these industry rules.

In this case, it might be hard for the host to make everyone happy on the same shared server, because disabling the old TLS versions will reduce compatibility with old devices. But not disabling them will show a warning on scanners that check for payment industry rules. It’s pretty hard to support a different set of TLS versions on the same shared server for different customers.

I agree with @mnordhoff’s point that this is mostly a business decision, but in this case the host might have reasons other than only wanting you to pay more—complying with your request might have negative consequences for some other customers.

Probably the easiest choices would be to find a host that’s similar to your current host but that happens to have these old TLS versions enabled (maybe because it doesn’t have any customers who accept credit cards directly on their sites), or to buy a VPS plan from any provider that offers one. (In this case, you are the system administrator and you directly control the TLS configuration and other system settings. This gives you much more responsibility around things like installing, configuring, and updating system software, and also more control over all of the system configuration options.)


#15

It is technically possible, but it’s a lot of extra work because no popular software for hosting web sites provides an easy way to do this automatically. So a shared hosting provider basically has three options:

  • Enable TLS 1.0 and 1.1 for everyone (makes @pccloob happy because of device compatibility, but makes other customers unhappy)
  • Disable TLS 1.0 and 1.1 for everyone (makes other customers unhappy because of payment industry rules, but makes @pccloob unhappy)
  • Do a lot of extra work to create a very custom configuration

But this isn’t an issue on a VPS or dedicated plan, because the customer can choose the configuration for the whole server. In this case, you could look at

https://mozilla.github.io/server-side-tls/ssl-config-generator/

for server configuration recommendations that achieve the desired compatibility with older clients.


#16

I believe this is a lot simpler than most people think:
I’ve been able to serve different protocols for different vhost configs.
The main catch is that the base/default system must combine all protocols required by all tenants.
Then each tenant is free to chose (within their vhost) which protocol they want to use.

Once the base has been set (say to TLSv1.2 ONLY), their is no way for any tenant vhost config to expand on that base (their settings get ignored).


#17

(I moved that subject to #help instead of #help:aide-en-francais)


#18

I think there’s no shared hosting provider would adjust their cPanel / WHM protocal settings just for single user’s request… (Not to mention for the newer version of cPanel / WHM, it’s relatively hard for host technicans to adjust protocol… since cpanel disabled it from coding side)