Insecure Transportation Security Protocol Supported (SSLv2)

Configure your web server to disallow using weak ciphers.

• For Apache, you should modify the SSLProtocol directive in the httpd.conf.

  SSLProtocol +TLSv1.2

• For Nginx, locate any use of the directive ssl_protocols in the nginx.conf file and remove SSLv3.

  ssl_protocols TLSv1.2;

• For Microsoft IIS, you should make some changes on the system registry. Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.
  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL2\
  3. Locate a key named "Server." If it doesn't exist, create it.
  4. Under the "Server" key, locate a DWORD value named "Enabled." If it doesn't exist, create it and set it to "0".
• For lighttpd, put the following lines in your configuration file:

  ssl.use-sslv2 = "disable"
  ssl.use-sslv3 = "disable"
  ssl.openssl.ssl-conf-cmd = ("Protocol" => "-TLSv1.1, -TLSv1, -SSLv3") # v1.4.48 or up
  ssl.ec-curve = "secp384r1"