Hello,
Is it currently possible to disable TLS 1.0 in Nextcloud in a shared hosting environment (where the webhost cannot disable it due to others’ compatibility)?
I see this is an issue that is resolved in future releases. See here and here.
Thank you,
Ari
Most web hosters have SSLv2 and SSLv3 already disable by default, leaving TLS1.0 to TLS1.2 activated.
So I totally understand his request to disable TLSv1.0 now as well - and I honestly suggest to disable TLS1.1 in addition as well. Securitywise it is rather worse than TSLv1.0 and it is only the decision betwween 1.0 or 1.2 anyway.
@adoucette
The issues you linked are only snap issues. Changes in the snap image of Nextcloud would only help you if your hoster is using this snap image.
I can only guess, but your hoster is problably using his own web server with their own TLS configuration.
I wondering why your hoster cannot configure different TLS settings for different customers like you are. I believe there should be virtual hosts set up for every customer’s web instance and each virtual host can be configured individually.
You just should be 100% sure, there is no client device which doesn’t support TLSv1.2 in combination with the configured cipher suites. With a little older Android mobile devices it can become tricky.
In short again: the way understand it, the hoster has to configure the TLS settings for you. Usually it is not the task of the web application itself.
There seems to be a way with .htaccess for apache web servers however, which you could try:
Not sure if you can edit your htaccess yourself or if you need the web hoster as well for that.
Excellent, I will work this through htaccess, didn’t know there was an option for that.
Thanks!
Ari