• Upgrade your server if it does not support TLS v1.2. Start planning an upgrade to your platform as soon as possible if this is the case.
• disable the insecure SSLv2 protocol
  • SSL v2 is insecure and must not be used. This protocol version is so bad that it can be used to attack RSA keys and sites with the same name even if they are on an entirely different servers (the DROWN attack).
    
• disable the insecure SSLv3 protocol (only a problem for clients running IE6 on Windows XP - which is EOL)
  • SSL v3 is insecure when used with HTTP (the POODLE attack) and weak when used with other protocols. It’s also obsolete and shouldn’t be used.
• disable TLS v1.0
  
  • TLS v1.0 is a legacy protocol that shouldn't be used, but it's typically still necessary in practice. Its major weakness (BEAST) has been mitigated in modern browsers, but other problems remain. Browser support for TLS v1.0 and TLS v1.1 will be dropped in 2020. In order to support older clients, you may need to continue to support TLS v1.0 and TLS v1.1 for now. However, you should plan to retire TLS v1.0.
• disable TLS v1.1 if possible. This can be maintained for compatibility with older browsers but think about phasing this out as browser support for TLS v1.0 and TLS v1.1 will be dropped in 2020.
• disable compression.
  
  • The 2012 CRIME attack showed that TLS compression can't be implemented securely. The only solution was to disable TLS compression altogether.
    
• disable CBC Ciphers
  • Recently new vulnerabilities Vulnerabilities like Zombie POODLE, GOLDENDOODLE, 0-Length OpenSSL and Sleeping POODLE were published for websites that use CBC (Cipher Block Chaining) block cipher modes. These vulnerabilities are applicable only if the server uses TLS 1.2 or TLS 1.1 or TLS 1.0 with CBC cipher modes.
  • For clients on Windows 7, upgrade to browsers that support recent ciphers. If you still have Windows 7 in use, take note that support will be dropped by Microsoft January 14, 2020.

Furthermore, you SHOULD: