How to fix weak TLS (disable TLS 1.0, 1.1, and weak ciphers)
Quick fix guide with step-by-step instructions. Barrion detects this finding in your scans; use this page to remediate it.
What it is
Weak TLS means your server still allows old protocols (TLS 1.0, 1.1) or cipher suites that are no longer considered secure. Modern best practice is TLS 1.2 minimum and preferably TLS 1.3, with strong ciphers only. Browsers and scanners flag weak TLS as a risk.
Why it matters
Older protocols and ciphers have known weaknesses. Disabling them forces all connections to use stronger crypto and reduces the chance of downgrade or decryption attacks. Compliance (e.g. PCI DSS) often requires TLS 1.2+ and no weak ciphers.
How to fix it
- 1
Check what your server offers
Use Barrion's TLS test or a tool like testssl.sh to see which protocols and ciphers your server accepts. Note any TLS 1.0/1.1 or weak cipher suites.
- 2
Configure TLS 1.2 and 1.3 only
In Nginx, set ssl_protocols TLSv1.2 TLSv1.3; and avoid ssl_ciphers that include weak suites. In Apache, use SSLProtocol and SSLCipherSuite to restrict to modern options. Same idea for load balancers (AWS ALB, Cloudflare, etc.).
- 3
Restart and test
Reload your web server or update the load balancer config, then run the TLS test again. Confirm that TLS 1.0 and 1.1 are no longer accepted and that the cipher list looks strong.
- 4
Monitor
Keep an eye on TLS config after upgrades. New deployments or config changes can reintroduce weak settings.
Examples by platform
Nginx
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;Apache
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384Check your site
Run Barrion's free tls / https check to see if this finding applies to your app and get a full report.
Run free check →
