TLS / HTTPS

Fix weak TLS (disable 1.0, 1.1, weak ciphers)

Name: Barrion
Availability: InStock
Author: Barrion

Quick fix guide with step-by-step instructions. Barrion detects this finding in your scans; use this page to remediate it.

What it is

Weak TLS means your server still allows old protocols (TLS 1.0, 1.1) or cipher suites that are no longer considered secure. Modern best practice is TLS 1.2 minimum and preferably TLS 1.3, with strong ciphers only. Browsers and scanners flag weak TLS as a risk.

Why it matters

Older protocols and ciphers have known weaknesses. Disabling them forces all connections to use stronger crypto and reduces the chance of downgrade or decryption attacks. Compliance (e.g. PCI DSS) often requires TLS 1.2+ and no weak ciphers.

How it is exploited

TLS 1.0 with CBC ciphers is vulnerable to BEAST and LUCKY13. SSLv3 fallback enables POODLE. An attacker who can downgrade the handshake can recover cookies or session tokens block by block.

How to fix it

Check what your server offers. Use Barrion's TLS test or a tool like testssl.sh to see which protocols and ciphers your server accepts. Note any TLS 1.0/1.1 or weak cipher suites.
Configure TLS 1.2 and 1.3 only. In Nginx, set ssl_protocols TLSv1.2 TLSv1.3; and avoid ssl_ciphers that include weak suites. In Apache, use SSLProtocol and SSLCipherSuite to restrict to modern options. Same idea for load balancers (AWS ALB, Cloudflare, etc.).
Restart and test. Reload your web server or update the load balancer config, then run the TLS test again. Confirm that TLS 1.0 and 1.1 are no longer accepted and that the cipher list looks strong.
Monitor. Keep an eye on TLS config after upgrades. New deployments or config changes can reintroduce weak settings.

Examples by platform

Nginx

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;

Apache

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384

How to verify the fix

Enumerate the protocols and ciphers your server still accepts:

nmap --script ssl-enum-ciphers -p 443 example.com

Confirm that legacy TLS 1.1 is no longer negotiated:

openssl s_client -connect example.com:443 -tls1_1

References

Check your site for this finding.

Run Barrion's free tls / https check to see if this applies to your app, with a full report and remediation steps.

Run free check →All fix guides