保護DataHogo
Security Encyclopedia/Headers & Infrastructure
highCWE-326A02:2021

Weak SSL/TLS Configuration

Server accepting obsolete TLS versions (TLS 1.0, TLS 1.1) or weak cipher suites, enabling downgrade attacks that decrypt supposedly encrypted traffic.

How It Works

TLS 1.0 and 1.1 have known vulnerabilities (POODLE, BEAST, CRIME). If your server still advertises support for these protocols, an attacker can force a connection downgrade from TLS 1.3 to TLS 1.0 and then exploit the older protocol's weaknesses. NIST deprecated TLS 1.0 and 1.1 in 2021.

Vulnerable Code
# BAD: nginx config supporting old TLS versions
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP';
Secure Code
# GOOD: TLS 1.2+ only with strong ciphers
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;

Real-World Example

The POODLE attack (CVE-2014-3566) exploited SSL 3.0 support that most servers kept enabled for 'compatibility'. Sites that hadn't disabled it years after the disclosure were still vulnerable to session decryption.

How to Prevent It

  • Disable TLS 1.0 and TLS 1.1 on all servers — only allow TLS 1.2 and TLS 1.3
  • Use strong cipher suites and disable RC4, DES, 3DES, and export-grade ciphers
  • Test your TLS configuration at ssllabs.com/ssltest — aim for an A+ rating
  • Use Mozilla's SSL Configuration Generator (ssl-config.mozilla.org) for ready-made configs

Affected Technologies

nodejsnginxapache

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Missing Content-Security-Policy Header

medium

The Content-Security-Policy (CSP) header is absent, leaving browsers without instructions on which sources of scripts, styles, and resources to trust.

CWE-358A05:2021

Missing X-Frame-Options Header

medium

The X-Frame-Options header is absent, allowing attackers to embed your app in an invisible iframe and trick users into clicking your UI elements (clickjacking).

CWE-1021A05:2021

Missing X-Content-Type-Options Header

low

The X-Content-Type-Options: nosniff header is absent, allowing browsers to guess (sniff) the content type of a response and potentially execute content as script.

CWE-430A05:2021

Missing HTTP Strict Transport Security (HSTS)

medium

The Strict-Transport-Security header is absent, allowing browsers to connect over plain HTTP and enabling downgrade attacks where an attacker intercepts unencrypted traffic.

CWE-319A02:2021