0
Back to scan results
Check 1 of 24

TLS / SSL Protocol Versions

We open a TLS connection to your server on port 443 once for each historical protocol version and record which ones the server is willing to negotiate. Anything older than TLS 1.2 fails PCI DSS.

What this check probes

For each of SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3, we attempt a handshake on port 443 advertising only that protocol. If the server completes the handshake, that version is reported as enabled.

The same logic that nmap --script ssl-enum-ciphers or testssl.sh use — only narrower and faster, designed to fit in a public scanner without hammering your origin.

Why this matters for PCI DSS

PCI DSS v4.0 Requirement 4.2.1 mandates "strong cryptography" on any public network carrying account data. The PCI SSC has explicitly deprecated SSL 3.0 (POODLE), TLS 1.0, and TLS 1.1 since June 2018. Continuing to offer them is an automatic compliance fail, even if no client actually negotiates the weak version.

  • SSL 3.0 — POODLE (CVE-2014-3566) lets a network attacker decrypt cookies one byte at a time.
  • TLS 1.0 / 1.1 — BEAST, Lucky13, CRIME, and an inability to use modern AEAD ciphers. NIST SP 800-52r2 forbids them.
  • TLS 1.2 — acceptable, but only with strong cipher suites and forward-secret key exchange.
  • TLS 1.3 — recommended; removes legacy cipher modes and reduces handshake to one round trip.

How to fix it

nginx — in your server or http block:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;

Apache (mod_ssl):

SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE+AESGCM:ECDHE+CHACHA20
SSLHonorCipherOrder off

IIS / Windows Server — the easiest path is the free IIS Crypto tool from Nartac. Apply the "Best Practices" template and reboot. It edits the SCHANNEL keys under HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.

Verify your fix from the command line:

openssl s_client -connect example.com:443 -tls1
# expect: handshake failure
openssl s_client -connect example.com:443 -tls1_2
# expect: successful handshake

For a generated config tailored to your server and compatibility target, use the Mozilla SSL Configuration Generator.

Fixed it? Re-run the scan to confirm.

Run scan again