TLS is the modern/secure replacement for SSL (SSL got to 3.0 and TLS 1.0 was sort of SSL 3.1)

TLS specification is here: https://www.rfc-editor.org/rfc/rfc2246

TLS 1.3 was released 2018

TLS 1.0 and 1.1 have security issues like BEAST and POODLE

TLS 1.2 has certain less secure cipher suites like TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA

99% of servers support 1.2 and >70% support 1.3

To avoid insecure protocol downgrade attacks (FREAK, Logjam) it's important that the minimum protocol version is set high enough

Cipher suites that lack forward secrecy should be avoided

Debian package "sslscan" can be used to list enabled TLS versions and cipher suites for a given TLS host (can also show SANs and info about server is vulnerable to Heartbleed etc)


# check which if any intranet servers are still accepting TLS 1.0 requests
curl -s https://service-directory.intranet.foobar.com/ | sed -nE 's#.*//(.*\.intranet.foobar.com).*#\1#p' | sort -u | xargs -I HST echo "echo HST \$(sslscan --no-ciphersuites --no-heartbleed --no-renegotiation --no-groups --no-fallback --no-compression --no-cipher-details --tls10 --no-check-certificate --connect-timeout=1 HST 2>&1 | g TLSv1.0)" | sh | grep enabled