Do: start rolling TLS 1.3, support TLS 1.2, and DTLS 1.2. Don't: negotiate sessions using TLS 1, TLS 1.1, SSL 2 or SSL 3.
Those are the Internet Engineering Task Force's latest recommendations, set out in RFC 7525, Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS).
The document (authors Yaron Sheffer of Intuit, Ralph Holz of National ICT Australia and Peter Saint-Andre of &yet) is a response to attacks on TLS and SSL (including the notorious Heartbleed and POODLE bugs).
As the document states, “These are minimum recommendations for the use of TLS in the vast majority of implementation and deployment scenarios, with the exception of unauthenticated TLS”.
The document also says both server and client implementations need to be careful about fallback. In particular, since SSL 3 is nearly dead (“IP scans show that SSLv3-only servers amount to only about three per cent of the current Web server population”, the RFC states), clients must no longer fall back to SSL 3.
Systems need to avoid SSL stripping by avoiding combining TLS-protected sessions with unprotected sessions, and TLS-level compression should be disabled to avoid compression-related attacks (the CRIME, TIME and BREACH attacks outlined in this RFC).
The RFC also outlines how to protect session resumption after interruptions; during TLS renegotiation; and provides guidelines on cipher suite selection. ®