How to remediate – SSL/TLS Recommended Cipher Suites (PCI DSS)

Contents

1. Introduction

The SSL/TLS Recommended Cipher Suites vulnerability means a server is offering older, less secure ways to encrypt connections. This can allow attackers to intercept sensitive data like usernames and passwords. It affects servers using SSL/TLS for communication, such as web servers, email servers, and VPN gateways. A successful exploit could compromise the confidentiality of data in transit.

2. Technical Explanation

The issue occurs when a server advertises cipher suites that are known to be weak or have vulnerabilities. Attackers can use this to force a connection using a less secure cipher, making it easier to decrypt communications. Exploitation requires a network connection to the vulnerable server and the ability to initiate a TLS handshake. There is no specific CVE associated with simply advertising discouraged ciphers; however, many individual cipher suites have known vulnerabilities.

Root cause: The server’s SSL/TLS configuration includes outdated or weak cipher suites.
Exploit mechanism: An attacker uses a tool like OpenSSL’s s_client to connect to the server and negotiate a vulnerable cipher suite during the TLS handshake. This allows them to potentially decrypt the traffic.
Scope: Any system using OpenSSL, GnuTLS, or other SSL/TLS libraries with default or poorly configured cipher suites is affected. Affected versions depend on the specific library and configuration.

3. Detection and Assessment

Quick checks: Use a website like SSL Labs Server Test (https://www.ssllabs.com/ssltest/) to identify supported cipher suites.
Scanning: Nessus plugin ID 16284 can detect weak cipher suites. OpenVAS also has relevant scanners. These are examples only, and results should be verified.
Logs and evidence: Server logs may show the negotiated cipher suite during TLS handshakes. Look for entries containing cipher names from the discouraged list.

openssl s_client -connect yourserver.com:443 -tls1_2 | openssl ciphers

4. Solution / Remediation Steps

Fix this issue by only enabling recommended cipher suites on the server. This improves security and ensures compatibility with modern clients.

4.1 Preparation

Ensure you have a rollback plan in place, such as restoring from backup or reverting the configuration file. A change window may be needed for production systems.

4.2 Implementation

Step 1: Edit your server’s SSL/TLS configuration file (e.g., Apache httpd.conf, Nginx nginx.conf).
Step 2: Remove any cipher suites not listed in the recommended list below.
Step 3: Add the following cipher suites to your configuration: TLSv1.3: – 0x13,0x01 TLS13_AES_128_GCM_SHA256 – 0x13,0x02 TLS13_AES_256_GCM_SHA384 – 0x13,0x03 TLS13_CHACHA20_POLY1305_SHA256 TLSv1.2: – 0xC0,0x2B ECDHE-ECDSA-AES128-GCM-SHA256 – 0xC0,0x2F ECDHE-RSA-AES128-GCM-SHA256 – 0xC0,0x2C ECDHE-ECDSA-AES256-GCM-SHA384 – 0xC0,0x30 ECDHE-RSA-AES256-GCM-SHA384 – 0xCC,0xA9 ECDHE-ECDSA-CHACHA20-POLY1305 – 0xCC,0xA8 ECDHE-RSA-CHACHA20-POLY1305 – 0xCC,0xAA DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Step 4: Restart the affected service to apply the changes.

4.3 Config or Code Example

Before

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!MD5

After

SSLProtocol TLSv1.2 TLSv1.3
SSLCipherSuite TLSv1.3:  - 0x13,0x01 TLS13_AES_128_GCM_SHA256  - 0x13,0x02 TLS13_AES_256_GCM_SHA384  - 0x13,0x03 TLS13_CHACHA20_POLY1305_SHA256TLSv1.2:  - 0xC0,0x2B ECDHE-ECDSA-AES128-GCM-SHA256  - 0xC0,0x2F ECDHE-RSA-AES128-GCM-SHA256  - 0xC0,0x2C ECDHE-ECDSA-AES256-GCM-SHA384  - 0xC0,0x30 ECDHE-RSA-AES256-GCM-SHA384  - 0xCC,0xA9 ECDHE-ECDSA-CHACHA20-POLY1305  - 0xCC,0xA8 ECDHE-RSA-CHACHA20_POLY1305  - 0xCC,0xAA DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence.

Practice 1: Secure Defaults – Configure services with the most secure settings out-of-the-box to minimise attack surface.
Practice 2: Patch Cadence – Regularly update SSL/TLS libraries and server software to address known vulnerabilities.

4.5 Automation (Optional)

# Example Ansible task to update SSL configuration file
 - name: Update SSL cipher suites
 lineinfile:
 path: /etc/nginx/nginx.conf
 regexp: '^SSLCipherSuite'
 line: 'SSLCipherSuite TLSv1.3:  - 0x13,0x01 TLS13_AES_128_GCM_SHA256  - 0x13,0x02 TLS13_AES_256_GCM_SHA384  - 0x13,0x03 TLS13_CHACHA20_POLY1305_SHA256TLSv1.2:  - 0xC0,0x2B ECDHE-ECDSA-AES128-GCM-SHA256  - 0xC

Updated on December 27, 2025

`Was this article helpful?`

Yes No

 Related Articles
 How to remediate – ZXShell Malware Services Detection
 How to remediate – Zabbix Server Detection
 How to remediate – Zebedee Server Detection
 How to remediate – xtelw Detection
 How to remediate – YIFF Sound Server Detection
 How to remediate – XOT Detection