The TLS imirhil report evaluates what they consider as the best practices.

These are good best practices, and for modern websites tailored for modern browsers, it's a very good reference.

But we also have to devise a more global picture:

• what sites do we have on Ysul?
• for each of them, what are the target users? Only people with modern browsers or also others?
• for these others one, could we offer them reasonable amount of information in HTTP or do they need HTTPS?
• if they need HTTPS, is there a REAL risk right now?

Without doing this analysis, we would be in a situation where you've found a god, a prophet, a religion. The god/prophet/religion says "B". Now, you need to figure how to please your god/prophet/religion to get A+.

Instead, we need to know what real problem there are and see how we can improve.

The more immediate and interesting question: should we drop TLS 1.0?

If so, that means we lost Android 4 support, IE 7, IE 8, IE 10 on Windows phone 8.0, Safari 5 and 6 on Mac OS X 10.6.8/1.8.4.

That seems acceptable to me.

Especially as people starts to disable TLS 1.0, see for example https://help.salesforce.com/articleView?id=000221207&r=https%3A%2F%2Fwww.google.be%2F&type=1

But IBM dropped it then reverted: https://www.theregister.co.uk/2017/08/10/ibm_cloud_turns_tls_10_off_and_then_turns_it_on_again/

If there is no objection, I'm in support to a nginx configuration change disabling TLS 1.0.

Current configuration

ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;

New suggeted configuration

ssl_protocols       TLSv1.1 TLSv1.2;

Situation has evolved since 2017, we currently configure nginx with TLSv1.2 + TLSv1.3,
per Mozilla intermediate configuration https://ssl-config.mozilla.org/

I'd suggest to add TLS 1.3 only configuration for newer resources when we know no old Android or Java client need to connect,
for example new internal APIs. For that, D3251 provides includes/tls-modern-only nginx configuration to use instead of includes/tls.