Allows insecure cipher: Export Ciphers |
This server accepts the RSA_EXPORT cipher suite, making it susceptible to the FREAK attack. |
Update your company web server software to disable export cipher suites. For all major server software (IIS, Apache, nginx, etc), refer to the Guide to Deploying Diffie-Hellman for TLS for explicit instructions, which also applies to SSL v2 and v3. |
Allows insecure protocol: TLSv1.0 |
TLSv1.0 has been deprecated. |
Update your company’s server-configurations to disable TLSv1.0. Refer to the Guide to Deploying Diffie-Hellman for TLS for explicit instructions. |
Allows insecure protocol: TLSv1.1 |
TLS version 1.1 has been deprecated. |
Update your company’s server-configurations to disable this protocol. Refer to the Guide to Deploying Diffie-Hellman for TLS for explicit instructions. |
Allows insecure protocol: SSLv2 |
This protocol has been deprecated for some time and has many known security vulnerabilities, such as the DROWN attack. |
Update your company servers configurations to disable SSLv2. Refer to the Guide to Deploying Diffie-Hellman for TLS for explicit instructions, which also applies to SSLv3 and insecure ciphers. |
Allows insecure protocol: SSLv3 |
This protocol is vulnerable to the POODLE attack. |
Update your company’s server software to disable SSLv3. Refer to the Guide to Deploying Diffie-Hellman for TLS for explicit instructions, which also applies to SSLv2 and insecure ciphers. |
Diffie-Hellman prime is very commonly used |
A common Diffie-Hellman prime indicates poor server-side TLS configuration; servers with common primes are more susceptible to compromise, as demonstrated by the Logjam attack. |
Use a TLS implementation of your choice to generate a new Diffie-Hellman group for your server. Refer to the Guide to Deploying Diffie-Hellman for TLS to learn more. |
Diffie-Hellman prime is less than 512 bits |
Primes shorter than 512 bits are estimated to be breakable by adversaries with consumer-level and academic-level resources. |
A key length of 2048 bits is recommended. Use a TLS implementation of your choice to generate a new Diffie-Hellman group and key pair for your server. Refer to the Guide to Deploying Diffie-Hellman for TLS. |
Diffie-Hellman prime is less than 1024 bits |
Primes shorter than 1024 bits are estimated to be breakable by adversaries with consumer-level and academic-level resources. |
A key length of 2048 bits is recommended. Use a TLS implementation of your choice to generate a new Diffie-Hellman group and key pair for your server. Refer to the Guide to Deploying Diffie-Hellman for TLS. |
Diffie-Hellman public key is very commonly used |
A common public key indicates poor server-side TLS configuration or private keys are used more than once on separate servers. |
Check your server for any improperly implemented crypto libraries, and make sure that all libraries (SSL, etc) are up to date. Use a TLS implementation of your choice to generate a new Diffie-Hellman group for your server. Refer to the Guide to Deploying Diffie-Hellman for TLS to learn more. |
Short Diffie-Hellman prime is very commonly used |
A common Diffie-Hellman prime indicates poor server-side TLS configuration and puts the server at risk for the Logjam attack. |
Use a TLS implementation of your choice to generate a new Diffie-Hellman group for your server and make sure you have a strong TLS configuration, as documented in the Guide to Deploying Diffie-Hellman for TLS. A key length of 2048 bits is recommended. |
SMTP server doesn’t support TLSv1.2 or greater |
The Simple Mail Transfer Protocol (SMTP) server does not support secure TLS protocols (TLSv1.2 or greater). |
Ensure the SMTP server supports secure TLS protocols (TLSv1.2 or greater). |
Vulnerable to Heartbleed |
This SSL certificate was generated using the OpenSSL library and has not been updated since the Heartbleed vulnerability was discovered. |
Ensure your TLS libraries are up-to-date on company servers. |