What are the different TLS versions?

What is the difference between enhanced TLS and standard TLS?

I read on some forum that you can create your TLS certificate without any enhanced.

For what is it useful? Is there any security risk in creating TLS certificate without having enhanced?
Thanks. Shivam. In normal TLS 1.1 or later: You don't even have to mention it at all; TLS 1.2 and beyond will negotiate their own certificate (and verify them) just fine. It doesn't matter whether you tell your client/web server that you're running an "X.509" or a "TLS".

By contrast, in non-upgraded (and older than 1.0) SSL and TLS: The ClientHello only states the basic SSL/TLS parameters; it has no opportunity to specify how or whether certificate validation should be implemented, ie, which CA certs you use. The CertificateRequest message also only specifies a certifcate; it contains no information about CA checks, etc. As a consequence of this, when a client wishes to connect to a non-enabled web server over SSL/TLS, in older versions of SSL/TLS it will send: A Server Hello with: a) No client authentication (no ClientHello) b) a certifcate with none or zero certificates. Which then results in: The Certificate is validated on the server side; its hostname must match the FQDN. In normal SSL/TLS (but not necessarily in non-upgraded TLS 1.0 or less), the certificate can be used for authentication, which means the client/web server needs a copy of that certifcate from the CA cert.

Is TLS 1.2 still acceptable?

TLS 1.

2 support is still relatively new, and even if you are not on the bleeding edge of TLS 1.2 adoption, some of your users may still be.

Should you continue to support TLS 1.2 has some features that we can't turn off in TLS 1.1 mode, such as:

The ability to renegotiate protocols at any time. The ability to change cipher suites mid-stream. The ability to encrypt the connection while a handshake is taking place. These features make it possible for users to do things like: Automatically switch between a different cipher suite when the handshake is going on. Automatically connect over HTTP if a secure connection isn't possible. If you're just talking about the ability to use certain types of cryptography, sure, you can turn off the cryptographic features of TLS 1. But the fact is that most of us need to support these newer features.

Do you really want to turn off the cryptographic features of TLS 1.2 has been out for less than two years, and many people have had their existing software upgraded to TLS 1. In many cases, upgrading to TLS 1.2 was a pretty simple process. Users can easily be stuck with software that doesn't fully support the newer protocol.

It's hard to predict how many of your users will be affected by this, and it depends on your use cases. Some are more important than others.

If you run a website, or if your product is used by people who run their own website, then it probably makes sense to keep TLS 1. But if you run an internal network that's behind a firewall, or if you run an internal network that's accessible over the internet, then you should consider turning off TLS 1. You can always keep TLS 1.2 support turned off by setting it to TLS10 or TLS11 . But if you keep TLS 1.2 support turned off, it could potentially cause your users problems.

Do you have any customers who would be impacted? If your product supports the newer TLS 1.2 features, then it's unlikely that your users will be affected by the changes.

What is the difference between TLS 1.2 and 13?

Why one should I be using TLS 1.

2 instead of TLS 13? Is TLS 13 broken? What would have happened if I did use the deprecated TLS, why did it break things? Is a certificate for domain example.com also trusted to a domain www.

TLS 1.2 requires support for extensions like "signaturealgorithms" and TLS v1.3 requires those extensions as well. But the protocol still allows for any combination of old and new versions, so they didn't break anything.

For servers with out-of-the-box setups, this will work without any changes, but you can also change the defaults in your ssl.conf to make them different on the two endpoints.