Description

The web server supports encryption through TLS 1.0, which was formally deprecated in March 2021 as a result of inherent security issues. In addition, TLS 1.0 is not considered to be "strong cryptography" as defined and required by the PCI Data Security Standard 3.2(.1) when used to protect sensitive information transferred to or from web sites. According to PCI, "30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.

Remediation

It is recommended to disable TLS 1.0 and replace it with TLS 1.2 or higher.

References

RFC 8996: Deprecating TLS 1.0 and TLS 1.1

Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS

PCI 3.1 and TLS 1.2 (Cloudflare Support)

Related Vulnerabilities

Yii2 weak secret key

Apache Spark Web UI Unauthorized Access Vulnerability

Apache Server-Status Detected

Apache Tomcat version older than 6.0.35

An Unsafe Content Security Policy (CSP) Directive in Use

Severity

High

Classification

CWE-326 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Tags

Configuration Weak Crypto