High
GDPR Art. 32
ISO 27001 A.8.24
CIS Controls CIS 3
Fix TLS: valid certificate and modern protocols only
Your certificate must be valid and current, and the server should negotiate only TLS 1.2+ — never SSLv3, TLS 1.0 or 1.1.
Why it matters
An expired or mismatched certificate breaks trust and blocks users; deprecated protocols (TLS 1.0/1.1) are vulnerable to known downgrade and decryption attacks. Both are hard failures in any compliance review.
How to fix it
Automate certificate renewal (e.g. ACME/Let's Encrypt), disable TLS 1.0/1.1 and weak ciphers, and prefer forward-secret suites. Re-test after every server or CDN change.
# nginx: modern protocols only
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
Is your domain affected?
Prove ownership and run a scan for a graded, verifiable report.
Related guides
- Set up SPF, DKIM and DMARC to stop email spoofing
- Add the HTTP security headers every site should send
- Remove exposed .git, .env and backup files
- Disable directory listing
Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.