With this document published 4/28/14, stating the need to move to TLS 1.2, with a TLS 1.1 minimum - why would the SSL test still rate a site as an "A" when TLS 1.0 is in use?
Even Google Chrome warns of a site using TLS 1.0 as 'insecure'.
But it doesn't say that. It explicitly states:
When interoperability with non-government systems is required, TLS 1.0 may be supported.
So unless you're running a US Government server that's only accessed by US Government clients, TLS 1.0 is absolutely fine according to this publication. Whilst it's great if you can disable TLS 1.0, because that kills off some TLS weaknesses, it's by no means a blanket recommendation or a requirement for claiming to have a secure and robust TLS implementation for organisations other than the US Government. The TLS 1.0 sunset date for PCI-DSS compliance is June 30th, 2018. Accordingly, if you're still using TLS 1.0 on July 1st, 2018, I would say you should be marked down as insecure, but not before that date - that's what the industry has decided is the sensible trade-off point for credit card data, and that's as good a trade-off point to follow as any.
Retrieving data ...