Why does SSL Labs flag TLS 1.0 and 1.1?

SSL Labs flags TLS 1.0 and TLS 1.1 because both are deprecated — formally retired by the industry in 2020 for weaknesses that modern attacks can exploit — yet many servers still accept them for backwards compatibility:

  • It caps your grade — when your server answers connections using these old versions, SSL Labs caps your grade, typically at a B, even if the rest of your configuration is perfect, because any visitor whose connection negotiates the weak version is exposed.
  • The fix — disable TLS 1.0 and 1.1 at the server or CDN and accept only TLS 1.2 and 1.3; every current browser supports 1.2, so almost no real visitor is affected.

66% of Australian small business sites do not yet support TLS 1.3 at all*, so this is a widespread gap rather than an unusual one. A B grade from SSL Labs is almost always old TLS still switched on — turning it off is a one-setting change at your host or Cloudflare.