Allows insecure cipher: Export Ciphers |
This server accepts the RSA_EXPORT cipher suite, making it susceptible to the FREAK attack. |
Update your company web server software to disable export cipher suites. For all major server software (IIS, Apache, nginx, etc), refer to the Guide to Deploying Diffie-Hellman for TLS for explicit instructions, which also applies to SSL v2 and v3. |
Allows insecure protocol: TLSv1.0 |
TLS version 1.0 has been deprecated. |
Disable TLS 1.0. See our guide for remediating TLS/SSL Configuration findings. |
Allows insecure protocol: TLSv1.1 |
TLS version 1.1 has been deprecated. |
Disable TLS 1.1. See our guide on verifying TLS is disabled. |
Allows insecure protocol: SSLv2 |
This protocol has been deprecated for some time and has many known security vulnerabilities, such as the DROWN attack. |
Disable SSLv2. See our guide for verifying that TLS has been disabled. |
Allows insecure protocol: SSLv3 |
This protocol is vulnerable to the POODLE attack. |
Disable SSLv3. See our guide for remediating TLS/SSL Configuration findings. |
Allows protocol: TLSv1.1 |
TLS version 1.1 has been deprecated. |
Disable TLS 1.1. See our guide for remediating TLS/SSL Configuration findings. |
Certificate was issued for a date in the future |
This certificate becomes valid after today's date. Traffic to this host may not be encrypted. Your TLS/SSL provider may have misconfigured the certificate, or if self-signed, was not issued appropriately. |
Obtain and install a certificate that is valid for today's date. See our guide for remediating TLS/SSL Configuration findings. |
Diffie-Hellman prime is very commonly used |
A common Diffie-Hellman prime indicates poor server-side TLS configuration; servers with common primes are more susceptible to compromise, as demonstrated by the Logjam attack. |
See our guide for checking the Diffie-Hellman prime value. If this value is still seen as common, generate a new prime. See the WeakDH, "Guide to Deploying Diffie-Hellman for TLS" for a list of common products. |
Diffie-Hellman prime is less than 512 bits |
Primes shorter than 512 bits are estimated to be breakable by adversaries with consumer-level and academic-level resources. |
Use a key length of 2048 bits. See our guide for checking the Diffie-Hellman prime value. If this value is less than 2048 bits, generate a new prime. See the WeakDH, "Guide to Deploying Diffie-Hellman for TLS" for a list of common products. |
Diffie-Hellman prime is less than 1024 bits |
Primes shorter than 1024 bits are estimated to be breakable by adversaries with consumer-level and academic-level resources. |
Use a 2048-bit key. See our guide for checking the Diffie-Hellman prime value. If this value is less than 2048 bits, generate a new prime. See the WeakDH, "Guide to Deploying Diffie-Hellman for TLS" for a list of common products. |
Diffie-Hellman public key is very commonly used |
A common public key indicates poor server-side TLS configuration or private keys are used more than once on separate servers. |
Check your server for any improperly implemented crypto libraries, and make sure that all libraries (SSL, etc) are up to date. Use a TLS implementation of your choice to generate a new Diffie-Hellman group for your server. Refer to the Guide to Deploying Diffie-Hellman for TLS to learn more. |
Elliptic curve public key is less than 160 bits |
Keys shorter than 160 bits can be broken with consumer devices. A key length of 224 bits is recommended. |
An EC parameter of 224 bits or more is recommended. Your certificate will need to be re-issued or regenerated by your ECC provider with an elliptic curve parameter greater than or equal to 160 bits. |
Elliptic curve public key is less than 224 bits |
Keys shorter than 224 bits may be insecure. |
Your certificate will need to be re-issued or regenerated by your certificate provider with an elliptic curve parameter greater than or equal to 224 bits. |
Malformed certificate |
There is a problem with the certificate that may render it ineffective. |
Obtain updated leaf certificates from your certificate vendor. |
Malformed public key |
There is a problem with the public key that may render it ineffective. The key may not have been produced or configured properly. |
Check that your keys are properly stored. You may need to generate a new public key. Obtain updated certificates from your certificate vendor if necessary. |
Short Diffie-Hellman prime is very commonly used |
A common Diffie-Hellman prime indicates poor server-side TLS configuration and puts the server at risk for the Logjam attack. |
See our guide for checking the Diffie-Hellman prime value. If this value is still seen as common, generate a new prime. See the WeakDH, "Guide to Deploying Diffie-Hellman for TLS" for a list of common products. |
SMTP server does not support protocol TLSv1.2 |
The Simple Mail Transfer Protocol (SMTP) server does not support TLS protocol TLSv1.2. |
Configure the SMTP server to support TLS protocol TLSv1.2 or greater. See our guide for remediating TLS/SSL Configuration findings. |
SMTP server does not support protocol TLSv1.2 or greater |
The Simple Mail Transfer Protocol (SMTP) server does not support secure TLS protocols (TLSv1.2 or greater). |
Configure the SMTP server to support TLSv1.2 or greater. See our guide for remediating TLS/SSL Configuration findings. |
Vulnerable to Heartbleed |
This SSL certificate was generated using the OpenSSL library and has not been updated since the Heartbleed vulnerability was discovered. |
Ensure your TLS libraries are up-to-date on company servers. |
Feedback
0 comments
Please sign in to leave a comment.