—

Why it Matters

Older SSL and TLS versions (SSLv2, SSLv3, TLS 1.0, TLS 1.1) are weak and contain known cryptographic flaws. Attackers can downgrade connections or break encryption, exposing passwords, sessions, and payment data.

Enforcing TLS 1.2 or higher ensures strong encryption between customers and your store. TLS 1.3 is recommended when possible for better performance and security.

Verification Steps

# Test with OpenSSL for old protocols
openssl s_client -connect yourstore.com:443 -tls1
openssl s_client -connect yourstore.com:443 -tls1_1

# Expected: connection fails

# TLS 1.2/1.3 should succeed
openssl s_client -connect yourstore.com:443 -tls1_2
openssl s_client -connect yourstore.com:443 -tls1_3

# Use SSL Labs or testssl.sh for full report
https://www.ssllabs.com/ssltest/analyze.html?d=yourstore.com

Remediation / Fix Guidance

1. Disable SSLv2, SSLv3, TLS 1.0, and TLS 1.1 in web server configuration.
2. Enable only TLS 1.2 and TLS 1.3:

   # Nginx
   ssl_protocols TLSv1.2 TLSv1.3;

   # Apache
   SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

3. Use strong ciphers (AES-GCM, ChaCha20-Poly1305) and prefer forward secrecy (ECDHE).
4. Test after changes with SSL Labs or testssl.sh to confirm compliance.

Examples

# Old TLS versions still enabled
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# Only modern TLS versions allowed
ssl_protocols TLSv1.2 TLSv1.3;

References

• OWASP Top 10 — A02: Cryptographic Failures
• OWASP — Transport Layer Protection Cheat Sheet