TLS protocol versions
TLS 1.3 (2018) is the current standard: faster handshakes, only forward-secret AEAD ciphers, and no legacy footguns. TLS 1.2 remains widely needed for older-but-current clients. **TLS 1.1, TLS 1.0, and SSLv3 are deprecated and insecure** — they were formally retired by RFC 8996 and are disallowed by PCI-DSS. Only enable them in the Old profile if you genuinely must serve clients that have no other option. TLS 1.3 requires OpenSSL 1.1.1 or newer; on older OpenSSL the generator drops it automatically.