Mozilla Server Side TLS – Recommended Configurations

[ufo]

Despite the title of this submission, the wiki page actually is recommending the "Intermediate" configuration by default, which also includes TLS 1.2

In practice, how much of a compatibility hit is there between the Intermediate and the Modern configurations?

[ChrisSD]

Indeed the title is wrong though I can see how someone could get confused. These are all "recommend" configurations depending on how bleeding edge (or not) you want to be. But intermediate is the recommended of the recommended configurations.

[ChrisSD]

The submission title has now been changed to better reflect the content so my comment no longer applies.

[dfc]

According to caniuse, TLS1.3 is supported by 75% of browsers in use:

https://caniuse.com/#feat=tls1-3

[unilynx]

And that's just browsers... if you provide an API you may be dealing with external users who are a lot further behind than the browsers.

If your API clients are diverse, turning off pre-TLS1.2 versions even now will probably break a lot of them.

[wereHamster]

Modern doesn't support IE11, this may be a big issue for some organizations.

See also https://caniuse.com/#feat=tls1-3

[floatingatoll]

Glancing at the table of clients, I would personally guess that Modern requires TLS 1.3, OpenSSL 1.1.1, and Java 11, which is a high bar to meet for what’s likely deployed and in use in long-term support production systems. (I don’t know the actual worldwide client data statistics, so this is just a guess.)