Few things to note about Protocols:

  1. There are 5 common protocols: SSLv2, SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2
  2. SSLv2, SSLv3, and TLSv1.0 have known security issues. In fact, SSLv2 and v3 should not be used anymore.
  3. The lesser protocols you enable, the lesser devices could connect. You need to find a balance between them. TLSv1.0 support could be dropped if you are only providing services to modern devices/browsers.
  4. Mozilla SSL Configurator has some suggestion on which protocols and cipher suites to be enabled.

Few things to note about Cipher Suites:

  1. Each protocol has a range of supported cipher suites on their own. The exception is TLSv1.1 does not have specific cipher suites and could use all those supported by TLSv1.0.
  2. The client and server need to support a common cipher suite in order to successfully establish the connection. Note that server could suggest a list of common cipher suites but it is usually the client that decides which one is used.
  3. If you enable a certain protocol but didn't support any supported cipher suites, no client could connect to your server using that protocol.
  4. A list of supported cipher suites for each protocol can be found on the OpenSSL website.

Other related topics on TLS SSL:

  1. https://calvin.my/posts/using-custom-dh-param-in-nginx
  2. https://calvin.my/posts/enabling-hsts-in-nginx
  3. For testing your configuration and check the list of clients supported, please use the SSL Lab Test tool.