[regecks]

There's no reason to remove TLS 1.1 from your server. This change is about the minimum protocol version supported by the browser.

Your server can advertise SSLv3 support alongside TLS 1.2, and Chrome 70 will still happily connect to it.

[jwilk]

People also thought that there's no reason to remove SSLv2 from your server, and then the DROWN attack happened:

https://drownattack.com/

DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.

[toast0]

> There's no reason to remove TLS 1.1 from your server.

I posit there's no reason to support TLS 1.1 on your server. There are very few clients that support TLS 1.1, but not TLS 1.2. So, either you are willing to support clients on TLS 1.0 (or SSLv3), or you aren't.

[1over137]

Apple only added TLS 1.2 to their SecureTransport lib in OS X 10.9, which was released in late 2013. Not so old!

[toast0]

Did they actually support tls 1.1 though?

[notatcomputer68]

1. Downgrade attacks.

2. Preventing people from shooting themselves in the foot.