Insecure Transportation Security Protocol Supported (TLS 1.0)
Description
The web server supports TLS 1.0, an outdated encryption protocol that was formally deprecated in March 2021 (RFC 8996) due to inherent cryptographic weaknesses and vulnerability to various attacks. TLS 1.0 does not meet modern security standards, including PCI DSS 3.2.1 requirements for protecting payment card data, which mandated migration to TLS 1.2 or higher by June 30, 2018. Organizations using TLS 1.0 for transmitting sensitive data are non-compliant with current security best practices and regulatory requirements.
Remediation
Disable TLS 1.0 support on all web servers and services, and configure them to use only TLS 1.2 or TLS 1.3 as the minimum supported protocol versions. The specific implementation depends on your server platform:
For Apache (httpd.conf or ssl.conf):
SSLProtocol -all +TLSv1.2 +TLSv1.3 SSLCipherSuite HIGH:!aNULL:!MD5:!3DESFor Nginx (nginx.conf):
ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; ssl_prefer_server_ciphers on;For IIS (via PowerShell):
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'Enabled' -Value '0' -PropertyType 'DWORD' New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'DisabledByDefault' -Value '1' -PropertyType 'DWORD'After making configuration changes, restart the web server and verify that only TLS 1.2 and TLS 1.3 are enabled using SSL/TLS testing tools. Ensure that client applications and integrations support TLS 1.2 or higher before disabling legacy protocols to avoid service disruptions.