My latest server side upgrade finally supports TLS 1.3. All advice out there is that I should fully disable TLS 1.0 and 1.1.
But I still have TLS 1.0 and 1.1 enabled.
And, no, I don't plan on removing either until I absolutely have to.
This is mostly a static site. The few things that are interactive on this site are all search-engine findable. I'm not asking anyone for sensitive information, and I don't have controversial or sensitive data here.
Sadly, that's not even remotely true. Lots of sites will talk endlessly about how all the broswer software was updated. Problem is, that doesn't help someone with a 6 year old tablet, or cell phone.
Though TLS 1 has been around for 20 years, SSL 3 was thought to still be secure as recently as early 2014. Firefox support for TLS 1.1 and 1.2, both hit main release (Firefox 27) on 4 Feb 2014. Cheaper Android devices didn't support TLS 1.2 for another year or more past that.
I personally still use two devices that only support SSL 3, not even TLS 1.0. Secure sockets for my sites use domain stapling, which isn't available in the older SSL protocols. Those devices aren't helped, but anything in that 4 to 6 years old range will still be able to use this site.
I will sometimes see mobile devices kicked out of TLS negotiation because they can't support TLS at all and are hoping for SSL, and I feel bad. 15 year old candybar phones still work in some parts of the world, and many people use them as their primary internet connectivity.
I really don't feel the need to pressure any person who doesn't want to update their barely older hardware that still otherwise works just fine.
Maybe I'll reconsider in 2024 (or my next major server OS upgrade will decide FOR me).