I. INTRODUCTION
SSL (all versions) TLS 1.0 and 1.1 have been found to have vulnerabilities that can be exploited by attackers. TLS 1.2 is now supported on all major web browser platforms. To ensure a secure environment, TLS 1.0 and 1.1 should be disabled on all TCNJ supported systems.
II. DEFINITIONS
SSL – Secure Sockets Layer – SSL version 1.0 was never publicly released because of serious security flaws in the protocol. Version 2.0, released in February 1995, contained a number of security flaws which necessitated the design of version 3.0. Released in 1996, SSL version 3.0 represented a complete redesign of the protocol produced by Paul Kocher working with Netscape engineers Phil Karlton and Alan Freier, with a reference implementation by Christopher Allen and Tim Dierks of Consensus Development. Newer versions of SSL/TLS are based on SSL 3.0. The 1996 draft of SSL 3.0 was published by IETF as a historical document in RFC 6101. (source wikipedia)
TLS 1.0 and 1.1 – Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols are widely used in applications such as email, instant messaging, and voice over IP, but its use as the Security layer in HTTPS remains the most publicly visible. In October 2018, Apple, Google, Microsoft, and Mozilla jointly announced they would deprecate TLS 1.0 and 1.1 in March 2020. (source wikipedia)
III. POLICY
All systems storing College owned data or connecting to TCNJ networks must have SSL, TLS 1.0, and TLS 1.1 disabled and support for TLS 1.2 enabled. Any exceptions to this policy must be documented along with any additional security controls and must be approved by the Information Security Office.
Before a system or service reaches End of Life, a plan to migrate or decommission the service should be executed.
—————————————————————————————————————————————————————–
Disable SSL on Windows Server
https://www.digicert.com/kb/ssl-support/iis-disabling-ssl-v3.htm
Disable TLS 1.0 and 1.1 on Windows Server
https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings?tabs=diffie-hellman#tls-dtls-and-ssl-protocol-version-settings
Disable TLS 1.0 and 1.1 on Apache and Nginx
https://www.inmotionhosting.com/support/website/ssl/disable-tls-versions/
Disable TLS 1.0 and 1.1 on Windows desktop via GPO
https://techpress.net/disable-tls-1-0-and-tls-1-1-on-windows-10-machines-through-gpo/