Insecure Transportation Security Protocol Supported (TLS 1.1)
Description
The web server supports TLS 1.1, an outdated encryption protocol that was formally deprecated in March 2021 (RFC 8996) due to inherent cryptographic weaknesses. TLS 1.1 lacks support for modern cipher suites and is vulnerable to various attacks that compromise data confidentiality and integrity. Organizations subject to PCI DSS compliance requirements must disable TLS 1.1 and use TLS 1.2 or higher, as mandated since June 30, 2018.
Remediation
Disable TLS 1.1 support on the web server and configure it to use only TLS 1.2 or TLS 1.3. The specific steps depend on your server platform:
For Apache (mod_ssl):
Update the SSLProtocol directive in your configuration file:
SSLProtocol -all +TLSv1.2 +TLSv1.3
For Nginx:
Update the ssl_protocols directive:
ssl_protocols TLSv1.2 TLSv1.3;
For IIS:
Disable TLS 1.1 via registry or use IIS Crypto tool to configure protocols through the GUI.
For Java applications:
Set the minimum TLS version in your SSLContext configuration:
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");After making changes, restart the web server and verify the configuration using SSL/TLS testing tools such as SSL Labs' SSL Server Test. Ensure that client applications support TLS 1.2 or higher before disabling older protocols to avoid service disruptions.