- Is it wise to disable TLS 1.0/SSL3.0 completely?
- or is it better to inform users to upgrade their browsers?
For TLS 1.0 -- you can't disable it because then your site wouldn't work with a lot of the users.
For SSL 3.0 -- it should apply only to IE6 users on Windows XP, so showing them an error message might be a good idea.
Any kind of disabling should first be monitored by real usage by protocol. For example if using Apache httpd see the setting CustomLog in httpd-ssl.conf file.
It depends what your company is doing:
1. If your page is Linux oriented magazin, then you can most probably disable SSLv3.0 because it is inlikely that IE6 with Windows XP are visiting your web page.
2. If your company is some kind of store, then make sure you don't "piss" the sells people because you have downgraded the profit of your company by disabling some protocol. You know you can disable protocol that are used by older people which have more money and are more conservative about upgrading browsers. So for example disabling 1% of users can result on lowering of 30% of profit.
3. On one my web servers which is used strictly from internal company network, I have disabled all protocols expect TLSv1.2 and also disabled all non-high ciphers. I am sure this web server is accessed by modern browsers, so I have a luxury and real freedom on protocol selection.
You can also post some info for example on top of web page for users using old browsers to upgrade. But be sure that this kind of message will be displayed on minimal possible users. Don't expect that they will upgrade, because there are probably not very computer literate or are using old browsers for some company rule of required browser or similar.
I suggest to do a job and first investigate (monitor web server) how many users are using SSLv3.0 or TLSv1.0 on your web page and then take some actions if required.
Can you provide more info what kind of web page your web server is serving?
Retrieving data ...