Force applications to use TLS 1.2 for certain domains

Solution 1:

For applications that use OpenSSL, you can set the MinProtocol and MaxProtocol version to TLSv1.2 to force all connections to use TLSv1.2. I know of no way to set this per domain. This is not advisable because some servers only support TLSv1.3, so connections to them will fail.

  1. Open openssl.cnf: vi /etc/ssl/openssl.cnf
  2. Scroll to the bottom: Shift-G
  3. Insert a new line: Shift-O
  4. Add MaxProtocol = TLSv1.2

For applications that use GnuTLS, for example apt, you can disable other versions of TLS in the system-wide GnuTLS configuration file, probably /etc/gnutls/config:

[overrides]
disabled-version = tls1.0
disabled-version = tls1.1
disabled-version = tls1.3

See Disabling algorithms and protocols.