Compatibility profiles
The configuration is built around the three Mozilla Server Side TLS profiles. **Modern** offers TLS 1.3 only and is the strongest, but drops clients older than roughly 2018. **Intermediate** adds TLS 1.2 with forward-secret ECDHE/DHE ciphers and is the recommended default for almost every public website. **Old** reaches ancient clients (Windows XP / IE 6, Android 2.3) by re-enabling deprecated TLS 1.0/1.1 and legacy ciphers — it fails PCI-DSS and most compliance baselines, so use it only when you have a hard requirement and a plan to retire it. When in doubt, choose Intermediate.