DomainSecurityScanner
High SeveritySSL/TLS

Fix: Weak SSL/TLS Cipher Suites Detected

Your server supports weak or deprecated cipher suites that are vulnerable to known attacks, including DES, 3DES, RC4, and export-grade ciphers.

Quick Fix

Disable weak cipher suites (DES, 3DES, RC4) and enforce TLS 1.2+ in your web server configuration.

What This Error Means

Your web server accepts connections using cipher suites that have known vulnerabilities. These weak ciphers can potentially be broken by attackers, compromising encrypted connections.

Why It Matters

Weak ciphers expose your users to man-in-the-middle attacks, session hijacking, and data interception. PCI DSS and SOC 2 compliance also flag weak ciphers as vulnerabilities.

Step-by-Step Fix

1

Check current cipher suites

See which ciphers your server currently supports.

Example
nmap --script ssl-enum-ciphers -p 443 yourdomain.com
2

Update Nginx cipher configuration

Configure Nginx to use only strong cipher suites.

Before
ssl_ciphers HIGH:!aNULL:!MD5;
After
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;
3

Update Apache cipher configuration

Configure Apache to use only strong cipher suites.

Before
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
After
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder on
4

Restart and verify

Restart your web server and test the cipher configuration.

Example
sudo systemctl reload nginx

# Verify no weak ciphers:
nmap --script ssl-enum-ciphers -p 443 yourdomain.com | grep -E "(DES|RC4|3DES|EXPORT)"

Common Gotchas

  • Disabling older ciphers may prevent very old browsers and devices from connecting. Check your analytics first.
  • If behind a CDN or load balancer, cipher configuration may need to be changed at the CDN level.
  • Some ciphers that sound similar have very different security properties. AES-GCM is strong; DES-CBC3 (3DES) is weak.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

Which cipher suites should I use?

Use ECDHE key exchange with AES-GCM or ChaCha20-Poly1305: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, and their ChaCha20 equivalents.

Which cipher suites are considered weak?

DES, 3DES (DES-CBC3), RC4, export-grade ciphers, NULL encryption, MD5-based MACs, and any cipher without forward secrecy (lacking ECDHE or DHE).

Will disabling weak ciphers break anything?

Only for very old clients. IE on Windows XP, Android 4.3 and older, and Java 6 may not support modern ciphers. Virtually all current browsers work fine.

Related Issues

TLS 1.0/1.1 EnabledCertificate ExpiredNo HSTSAll Fix Guides →