How can i enable TLS1.0&1.1?

pccloob · December 18, 2018, 4:06pm

hi everyone
i use Let’s Encrypt SSL in my site: https://pccloob.ir
i enable it from my host.but the TLS 1.0 & 1.1 is not enabled and my app dont work in android < 4.4
i want enable TLS 1.0 & 1.1 so my app work in android < 4.4 too.
please help me.
thanks

rg305 · December 18, 2018, 4:20pm

Protocol setting are controlled by the web service (not the certificate used).
Your web server/service should probably have a configuration file that can be modified to include/exclude protocols and ciphers, etc.

[edit]
Or in the case of LightSpeed, perhaps a management/admin area something like:
http://internal.ip:7080/

pccloob · December 18, 2018, 4:26pm

so,i should contact with my host manager?

rg305 · December 18, 2018, 4:28pm

If you have “root” access, you can “manage” it yourself.
It you have access to a cPanel (or such) for it, you might be able to make the necessary changes.
If you are unsure about anything, yes, I would first talk with the hosting company about where/how to best make such changes.

pccloob · December 18, 2018, 4:39pm

i have cpanel access.
SSL/TLS
SSL/TLS Status
Lets Encrypt™ SSL
how can enable TLS 1.0 & 1.1?

rg305 · December 18, 2018, 4:44pm

You should ask your hosting provider first.

pccloob · December 18, 2018, 5:21pm

please tell me what i do?
i contact my hosting provider and tell them.
what i tell them exactly?

rg305 · December 18, 2018, 5:44pm

Tell them exactly the same that you told us here.
"How can I enable TLS1.0&1.1?"
"I want enable TLS 1.0 & 1.1 so my app works in android < 4.4"

pccloob · December 19, 2018, 9:22am

i ask him but they said : we can not enable it. because you are in the Shared Host. if you want do this must buy dedicated server.

rg305 · December 19, 2018, 2:24pm

If you have access to any other Internet connected server that has TLS1.0 or TLS1.1 enabled, maybe you can use that one to proxy to this one.

Otherwise, you may need to change to dedicated server or change hosting company.

pccloob · December 19, 2018, 3:39pm

no i dont have.
hosting manager said : i have to buy premium ssl. in premium ssl there is no problem with tls 1.0 and 1.1
but in free ssl there is problem.
is that true?

mnordhoff · December 19, 2018, 3:50pm

There’s no technical requirement.

Your host is choosing to do this for business reasons, or because it’s convenient with their software.

schoen · December 19, 2018, 6:13pm

The other possible reason is that some sites that accept credit cards were told to disable it due to an industry requirement (because it’s considered obsolete). So, if this host has other customers who are subject to that rule, it might have disabled these protocol versions because that’s what the other customers want due to these industry rules.

In this case, it might be hard for the host to make everyone happy on the same shared server, because disabling the old TLS versions will reduce compatibility with old devices. But not disabling them will show a warning on scanners that check for payment industry rules. It’s pretty hard to support a different set of TLS versions on the same shared server for different customers.

I agree with @mnordhoff’s point that this is mostly a business decision, but in this case the host might have reasons other than only wanting you to pay more—complying with your request might have negative consequences for some other customers.

Probably the easiest choices would be to find a host that’s similar to your current host but that happens to have these old TLS versions enabled (maybe because it doesn’t have any customers who accept credit cards directly on their sites), or to buy a VPS plan from any provider that offers one. (In this case, you are the system administrator and you directly control the TLS configuration and other system settings. This gives you much more responsibility around things like installing, configuring, and updating system software, and also more control over all of the system configuration options.)

schoen · December 19, 2018, 6:21pm

It is technically possible, but it's a lot of extra work because no popular software for hosting web sites provides an easy way to do this automatically. So a shared hosting provider basically has three options:

Enable TLS 1.0 and 1.1 for everyone (makes @pccloob happy because of device compatibility, but makes other customers unhappy)
Disable TLS 1.0 and 1.1 for everyone (makes other customers unhappy because of payment industry rules, but makes @pccloob unhappy)
Do a lot of extra work to create a very custom configuration

But this isn't an issue on a VPS or dedicated plan, because the customer can choose the configuration for the whole server. In this case, you could look at

https://mozilla.github.io/server-side-tls/ssl-config-generator/

for server configuration recommendations that achieve the desired compatibility with older clients.

rg305 · December 20, 2018, 1:22am

I believe this is a lot simpler than most people think:
I've been able to serve different protocols for different vhost configs.
The main catch is that the base/default system must combine all protocols required by all tenants.
Then each tenant is free to chose (within their vhost) which protocol they want to use.

Once the base has been set (say to TLSv1.2 ONLY), their is no way for any tenant vhost config to expand on that base (their settings get ignored).

tdelmas · December 28, 2018, 5:26pm

(I moved that subject to #help instead of #help:aide-en-francais)

stevenzhu · December 28, 2018, 7:46pm

I think there's no shared hosting provider would adjust their cPanel / WHM protocal settings just for single user's request..... (Not to mention for the newer version of cPanel / WHM, it's relatively hard for host technicans to adjust protocol.... since cpanel disabled it from coding side)

system · January 27, 2019, 7:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.