Deprecated TLS Protocol

What This Check Does

The Deprecated TLS Protocol check tests whether your server accepts connections using outdated TLS protocol versions — specifically SSLv3, TLS 1.0, or TLS 1.1. DNS Spy attempts negotiation using these deprecated protocol versions and flags your domain if the server accepts them. Modern servers should only accept TLS 1.2 and TLS 1.3.

Why It Matters

TLS 1.0 and TLS 1.1 are vulnerable to a range of known attacks including BEAST, POODLE, and CRIME. SSLv3 is considered completely broken. These protocols use weak cipher suites and hash functions that have been cryptographically defeated. The PCI DSS standard mandated the disablement of TLS 1.0 as of June 2018, and TLS 1.1 was formally deprecated by the IETF in March 2021 (RFC 8996).

Servers that still accept deprecated TLS versions are potentially vulnerable to downgrade attacks, where an attacker forces a connection to use a weaker protocol version even if the client supports modern versions.

Good vs. Bad Configuration

Bad Configuration

The server for example.com accepts TLS 1.0 connections. A client can initiate a TLS 1.0 handshake and exchange data using cipher suites that are vulnerable to known attacks.

Good Configuration

The server for example.com only accepts TLS 1.2 and TLS 1.3. Connections attempted with SSLv3, TLS 1.0, or TLS 1.1 are rejected. Modern cipher suites are used and forward secrecy is enabled.

How DNS Spy Monitors This

DNS Spy probes your server's TLS configuration during each monitoring cycle, testing for acceptance of deprecated protocol versions. If any deprecated version is accepted, an alert is raised. Disabling TLS 1.0 and TLS 1.1 in your web server or load balancer configuration will resolve the alert on the next check cycle.