Will disabling TLS 1.0/1.1 break old users?

Only users on Windows XP / very old Android. The fraction is under 0.1% on most sites. The compliance and security benefits outweigh the cost.

Medium severity

How to fix weak SSL/TLS ciphers or old protocols

Your server accepts old TLS versions (TLS 1.0, 1.1) or weak ciphers (RC4, 3DES, CBC). These have known vulnerabilities and are being phased out. Modern recommendations: support only TLS 1.2 and TLS 1.3, with AEAD ciphers (AES-GCM, ChaCha20). On managed platforms (Vercel, Cloudflare), this is mostly handled automatically — if your scanner flags weak ciphers, check if you have a legacy TLS setting enabled.

Why it matters

TLS 1.0/1.1 are deprecated by PCI DSS and most major browsers. Weak ciphers enable downgrade and padding-oracle attacks. For a serious security posture — or to meet compliance — these must be disabled.

How to check

01Use Qualys SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=your-domain.com
02Aim for grade A or A+. B or lower indicates issues.
03Specifically check the Protocols section (no TLS 1.0/1.1) and Cipher Suites section (no weak/export/null ciphers).

Or let SafeToShip check it for you in 60 seconds:

How to fix it

Vercel

Vercel uses modern TLS by default. If flagged, check if you have a custom origin or proxy in front.

Cloudflare

Dashboard → SSL/TLS → Edge Certificates → Minimum TLS Version: TLS 1.2. Disable TLS 1.0 & 1.1.

nginx

Set protocols and cipher suite.

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

My SSL Labs report shows weak TLS protocols or ciphers. Tell me my current host (Vercel, Cloudflare, nginx, Apache) and give me the exact config change to require TLS 1.2 minimum and enable only modern AEAD cipher suites. After the change, tell me how to re-test with SSL Labs.

FAQ

Frequently asked questions

Will disabling TLS 1.0/1.1 break old users?: Only users on Windows XP / very old Android. The fraction is under 0.1% on most sites. The compliance and security benefits outweigh the cost.

Related fix guides

Fix these too

Expired SSL certificate

An expired certificate breaks your site — browsers show a big red warning. Here is how to renew and set up auto-renewal.

Mixed content warnings

Loading HTTP resources from an HTTPS page breaks the security guarantee. Browsers block most of it automatically now — here is how to fix the rest.

Missing HSTS header

HSTS tells browsers to always use HTTPS for your site. Without it, users can be downgraded to HTTP and have sessions stolen. Here is how to add HSTS on Vercel, Next.js, and other hosts.

Learn the concepts

Glossary

SSL / TLS

The encryption protocols that power HTTPS. TLS 1.2 and 1.3 are current; older versions are deprecated.

Free tools

Check this yourself

SSL checker

Certificate validity, TLS version, and cipher strength — in 10 seconds.

Platform guides

Building on these platforms?

Vercel security

Vercel handles hosting and SSL, but your application code still needs security hardening. Missing CSP headers and exposed environment variables are the top issues.

Next.js security

Next.js is the most popular React framework, but even experienced developers miss security headers and accidentally expose server files in production.

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.