All guides
High GDPR Art. 32 ISO 27001 A.8.24 CIS Controls CIS 3

Fix TLS: valid certificate and modern protocols only

Your certificate must be valid and current, and the server should negotiate only TLS 1.2+ — never SSLv3, TLS 1.0 or 1.1.

Why it matters

An expired or mismatched certificate breaks trust and blocks users; deprecated protocols (TLS 1.0/1.1) are vulnerable to known downgrade and decryption attacks. Both are hard failures in any compliance review.

How to fix it

Automate certificate renewal (e.g. ACME/Let's Encrypt), disable TLS 1.0/1.1 and weak ciphers, and prefer forward-secret suites. Re-test after every server or CDN change.

# nginx: modern protocols only
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';

Is your domain affected?

Prove ownership and run a scan for a graded, verifiable report.

Related guides

Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.