TLS / HTTPS · Check

Weak TLS protocol offered — disabling TLS 1.0/1.1

TLS 1.0 and 1.1 have known protocol weaknesses (BEAST, padding-oracle issues, mandatory weak ciphers) and are deprecated by the IETF. Disable them at your TLS terminator and require TLS 1.2+.

Real-world risk

Legacy TLS versions have known protocol flaws; downgrade-capable networks can weaken sessions.

Fix steps (in order)

Disable TLS 1.0/1.1 at your edge; require TLS 1.2+ (and 1.3 where supported).
nginx: ssl_protocols TLSv1.2 TLSv1.3;
Cloudflare: SSL/TLS mode Full (strict) and minimum TLS 1.2 in edge settings.

Topic explainer

TLS versions explained: 1.0, 1.1, 1.2, 1.3 and what to disable →

What's actually different between TLS 1.0, 1.1, 1.2, and 1.3 — cipher suites, forward secrecy, performance — and which versions to disable for compliance and security.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (weak_tls_protocol) clears once the externally-observable signal is in place.

Run a free scan Methodology