F-2025-0021·configuration
Insecure TLS (1.0 and 1.1) active on public endpoints
TL;DR
Public endpoints accepted TLS 1.0 and 1.1, both deprecated and known-vulnerable. Modern clients should refuse to negotiate these versions; servers should not offer them.
Severity
LOW
Impact
MEDIUM
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description
Description
Public endpoints permitted TLS 1.0 and 1.1 negotiation. Both versions are deprecated and known-vulnerable; modern browsers refuse to connect with them and PCI/security baselines require disabling them.
03Section · Recommendation
Recommendation
Disable TLS 1.0 and 1.1 at the load balancer / CDN. Accept only TLS 1.2+ (preferably 1.3 with a small 1.2 cipher allowlist for compatibility).
Initia: Resolved. Pashov Audit Group: Resolved.
Status
Fixed
Fix commit
de9d3602dc1a
Fix date
2025-06-23