1. Home
  2. Network Vulnerabilities
  3. How to remediate – TLS ALPN Supported Protocol Enumeration
Searching...

How to remediate – TLS ALPN Supported Protocol Enumeration

Contents

1. Introduction

The TLS ALPN Supported Protocol Enumeration vulnerability means a remote host is advertising which protocols it supports when using Transport Layer Security (TLS) with Application-Layer Protocol Negotiation (ALPN). This allows attackers to gather information about the services running on the target system, potentially aiding in further attacks. Systems offering TLS services are usually affected, such as web servers, email servers and VPN gateways. A successful exploit could lead to information disclosure.

2. Technical Explanation

  • Root cause: The TLS ALPN extension advertises supported protocols during the handshake.
  • Exploit mechanism: An attacker passively observes the TLS handshake to enumerate supported protocols. Tools like nmap can be used for this purpose.
  • Scope: Any system running TLS 1.2 or later is potentially affected, including web servers (Apache, Nginx), email servers (Postfix, Exchange) and VPN gateways (OpenVPN).

3. Detection and Assessment

You can confirm a system supports ALPN by checking the TLS configuration. A quick check involves using openssl to connect to the service and examine the negotiated protocols. More thorough assessment requires network traffic analysis.

  • Quick checks: Use openssl s_client -connect : -tls1_2 and look for “ALPN protocols” in the output.
  • Scanning: Nmap script ssl-enum-ciphers can identify supported ALPN protocols (example only).
  • Logs and evidence: Review TLS session logs for protocol negotiation details, if available.
openssl s_client -connect example.com:443 -tls1_2

4. Solution / Remediation Steps

While supporting ALPN is not inherently insecure, limiting the advertised protocols can reduce the information available to attackers. Disabling support for older or unused protocols is recommended.

4.1 Preparation

  • Ensure you have access to the server’s configuration files. A roll back plan involves restoring the original configuration file.
  • Changes may require a change window depending on service criticality, with approval from the system owner.

4.2 Implementation

  1. Step 1: Identify and remove any unused or outdated protocols from your TLS configuration. For example, in Apache, edit the SSL configuration file.
  2. Step 2: Restart the web server to apply the changes.

4.3 Config or Code Example

Before

SSLProtocol All -SSLv2 -SSLv3

After

SSLProtocol TLSv1.2 TLSv1.3

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.

  • Practice 1: Least privilege to limit the impact if an attacker gains information about supported protocols.
  • Practice 2: Regularly review and update TLS configurations to remove unused or outdated protocols.

4.5 Automation (Optional)

# Example Ansible task to update SSLProtocol in Apache configuration
- name: Update SSLProtocol in Apache config
  lineinfile:
    path: /etc/apache2/mods-enabled/ssl.conf
    regexp: '^SSLProtocol'
    line: 'SSLProtocol TLSv1.2 TLSv1.3'
  notify: Restart Apache

5. Verification / Validation

Confirm the fix by checking that only the expected protocols are advertised during a TLS handshake. Re-run the openssl command and verify the output.

  • Post-fix check: Run openssl s_client -connect : -tls1_2 and confirm only TLSv1.2 or TLSv1.3 are listed under “ALPN protocols”.
  • Re-test: Re-run the quick check from section 3 to verify that unwanted protocols are no longer advertised.
  • Smoke test: Verify web pages load correctly, email sending/receiving works as expected, and VPN connections can be established.
  • Monitoring: Monitor TLS session logs for unexpected protocol negotiation attempts (example only).
openssl s_client -connect example.com:443 -tls1_2

6. Preventive Measures and Monitoring

Update security baselines to include recommended TLS configurations. Implement regular vulnerability scanning and configuration reviews.

  • Baselines: Update your security baseline or policy to enforce the use of only TLSv1.2 and TLSv1.3, for example using CIS benchmarks.
  • Asset and patch process: Implement a regular review cycle (e.g., quarterly) for TLS configurations across all assets.

7. Risks, Side Effects, and Roll Back

  • Risk or side effect 1: Older clients may be unable to connect if they do not support TLSv1.2 or TLSv1.3.
  • Risk or side effect 2: Service interruption if the configuration is incorrect.
  • Roll back:
    1. Step 1: Restore the original TLS configuration file from backup.
    2. Step 2: Restart the affected service.

8. References and Resources

  • Vendor advisory or bulletin: Check your vendor’s security advisories for specific TLS configuration recommendations.
  • NVD or CVE entry: https://tools.ietf.org/html/rfc7301
  • Product or platform documentation relevant to the fix: Refer to your web server, email server, or VPN gateway documentation for TLS configuration details.
Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles