Your server supports TLS 1.0 and/or TLS 1.1, which are deprecated protocols with known vulnerabilities. Only TLS 1.2 and TLS 1.3 should be enabled.
Disable TLS 1.0 and 1.1 in your web server configuration. Only allow TLS 1.2 and 1.3.
Your web server accepts connections using TLS 1.0 or TLS 1.1. These were deprecated by the IETF in 2021 (RFC 8996) due to known vulnerabilities including BEAST and POODLE.
TLS 1.0/1.1 are vulnerable to multiple attacks that can compromise encrypted communications. Major browsers have dropped support. PCI DSS compliance requires disabling TLS 1.0.
Test your server for TLS 1.0 and 1.1 support.
# Test TLS 1.0:
openssl s_client -connect yourdomain.com:443 -tls1 2>&1 | head -5
# Test TLS 1.1:
openssl s_client -connect yourdomain.com:443 -tls1_1 2>&1 | head -5Update Nginx to only support TLS 1.2 and 1.3.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;ssl_protocols TLSv1.2 TLSv1.3;Update Apache to only support TLS 1.2 and 1.3.
SSLProtocol all -SSLv3SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1Restart your web server and confirm old TLS versions are disabled.
sudo systemctl reload nginx
# Verify TLS 1.0 is disabled (should fail):
openssl s_client -connect yourdomain.com:443 -tls1 2>&1 | grep -i "error\|alert"
# Verify TLS 1.2 works:
openssl s_client -connect yourdomain.com:443 -tls1_2 2>&1 | head -5After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.
TLS 1.0 (1999) and 1.1 (2006) have known vulnerabilities including BEAST, POODLE, and Lucky13. The IETF formally deprecated them in RFC 8996 (2021).
Less than 1% of global web traffic. All major browsers removed support by 2020.
Not strictly required, but recommended. TLS 1.2 with strong cipher suites is still secure. TLS 1.3 offers faster handshakes and stronger defaults.