TLS version

Every TLS connection begins with a negotiation. The client offers a list of protocol versions it supports. The server picks the highest it also supports. The result is a single number that tells you a lot about the stack on both ends: TLS 1.3 says both sides are modern; TLS 1.1 says something is old enough that it needs to be replaced.

The landscape

Five versions exist in the wild. Only two should be negotiable in 2026.

Protocol versionsnewest first

TLS 1.3RFC 84461-RTT handshake, AEAD-only ciphers, forward secrecy mandatoryrecommended

TLS 1.2RFC 5246still everywhere, still fine; prefer 1.3 for new deploymentsacceptable

TLS 1.1RFC 8996browsers dropped support; MUST NOT be useddo not use

TLS 1.0RFC 8996POODLE, BEAST, Lucky13 all bit this versiondo not use

SSL 3.0RFC 7568POODLE killed it; any server still offering SSL is brokenforbidden

The "do not use" verdicts come from RFC 8996, which formally deprecates TLS 1.0 and 1.1 with a MUST NOT. SSL 3.0 was retired by RFC 7568 in 2015 after the POODLE attack.

One round trip

The biggest practical win of TLS 1.3 is one less round trip before your application can send data. On mobile and long-distance links that is tens of milliseconds of handshake time saved on every new connection.

TLS 1.22 round trips

client →ClientHello
server →ServerHello, Certificate, ServerKeyExchange, ServerHelloDone
client →ClientKeyExchange, ChangeCipherSpec, Finished
server →ChangeCipherSpec, Finished
client →application data (first byte)

TLS 1.31 round trip

client →ClientHello (with key share)
server →ServerHello, EncryptedExtensions, Certificate, Finished
client →Finished + application data (first byte)

1.3 also supports 0-RTT (early data), which cuts even that last round trip for resumed connections. 0-RTT has replay-attack tradeoffs, so most servers keep it off by default, but the 1-RTT handshake alone is strictly faster than anything 1.2 can do.

What 1.3 actually changed

The fast handshake is the headline. The real cleanup is in what 1.3 removed:

Static RSA key exchange is gone. Every 1.3 cipher suite uses ephemeral Diffie-Hellman or X25519. Forward secrecy is mandatory.
Non-AEAD ciphers are gone. CBC-mode cipher suites, RC4, 3DES, MD5, SHA-1 are all out. The only ciphers 1.3 defines are AES-GCM, AES-CCM, and ChaCha20-Poly1305.
Compression is gone. Removed to close CRIME and BREACH.
Renegotiation is gone. Replaced by key update, which has a much simpler state machine.
Most of the handshake is encrypted. Everything after ServerHello is protected, including the certificate. On a passive observer, 1.3 leaks the server name (via SNI in ClientHello) and the raw byte patterns; ECH will close even that gap.

Specified in RFC 8446. Internet Standard since 2018.

Deprecation timeline

Browsers dropped 1.0 and 1.1 between March 2020 and June 2021 (Chrome, Firefox, Safari, Edge all on a coordinated schedule). Server operating systems followed. PCI DSS has required TLS 1.2 or higher since 2018; the CNSA 2.0 profile requires 1.2 at minimum and 1.3 for new systems.

Any site still offering TLS 1.0 in 2026 is either running a legacy appliance that cannot be updated, or its operators have not looked. Both are problems.

What to enable

The Mozilla server-side TLS configuration guide publishes two current profiles:

Profile	Versions	Cipher suites	Use when
Modern	TLS 1.3 only	AES-GCM and ChaCha20-Poly1305	your users are on modern browsers and devices only
Intermediate	TLS 1.2 + 1.3	ECDHE-based AEAD ciphers	you need to serve anything from the last ~5 years

Mozilla removed its "Old" profile in 2020 because keeping TLS 1.0 for legacy clients was no longer a justifiable tradeoff. Intermediate is the default answer for most deployments.

Common mistakes

TLS 1.0 or 1.1 still offered

A server that accepts 1.0 is an attack surface. Even if no legitimate client negotiates it, an attacker can force a downgrade. Disable explicitly.

1.3 disabled to "support old clients"

1.3 clients negotiate down to 1.2 automatically. Turning 1.3 off hurts modern clients without helping old ones.

weak cipher suites alongside 1.3

1.3 only ships AEAD ciphers, but if your config also enables 1.2 with CBC-mode suites (ECDHE-RSA-AES256-SHA), a client on a restricted corporate network may be forced down into them. Keep 1.2 cipher suites tight.

0-RTT enabled without replay protection

Early data can be replayed by anyone who captures the first request. Only safe for idempotent operations. Default off unless you know the app is safe.

OS and OpenSSL too old to offer 1.3

Ubuntu 18.04 and its OpenSSL 1.1.1 predate 1.3's widespread deployment. The server silently tops out at 1.2. Upgrade the OS or link a newer OpenSSL.

Check which protocol versions your server actually offers and what it picks for a modern client: scan your domain.