1. Support Center
  2. SSL / TLS Vulnerabilities
  3. Vulnerabilities requiring reconfiguration

Disable deprecated SSL Protocol Versions

An SSL/TLS version offered by the server is outdated. The deprecated versions contain weak implementations that cannot be considered as secure anymore. Make sure that your web server offers only recent and strong protocol versions.

Security Assessment

Security_Assessment_ DisabledeprecatedSSLProtocolVersions

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Vulnerability Information

An SSL/TLS version offered by the server is outdated. The deprecated versions contain weak implementations that cannot be considered as secure anymore. Make sure that your web server only offers recent and strong protocol versions.

In their latest cheat sheet for Transport Layer Security (TLS), the OWASP guide recommends the following setting:

  • The SSL protocols have a large number of weaknesses, and should not be used in any circumstances.
  • General purpose web applications should only support TLS 1.2 and TLS 1.3, with all other protocols disabled.

A short history on SSL and TLS

SSL version 2 and 3

Secure Socket Layer (SSL) was the original protocol that was used to provide encryption for HTTP traffic, in the form of HTTPS. There were two publicly released versions of SSL - versions 2 and 3. Both of these have serious cryptographic weaknesses and should no longer be used.

TLS version 1.0 to 1.3 (SSL version 3.1 to 3.4)

For various reasons the next version of the protocol (effectively SSL 3.1) was named Transport Layer Security (TLS) version 1.0. Subsequently TLS versions 1.1, 1.2 and 1.3 have been released.

Terminology

The terms "SSL", "SSL/TLS" and "TLS" are frequently used interchangeably, and in many cases "SSL" is used when referring to the more modern TLS protocol. 

Guides

To disable the deprecated SSL/TLS protocol versions, please refer to Secure TLS Configuration

For more information about Crashtest Security visit crashtest-security.com