Rule catalog · Transport security

TLS 1.2 or newer is negotiated

tls_uses_modern_versionmediumweight 5Perimeter

Authored by Stanley Hong · AgentReserve (founder).

The negotiated TLS version is 1.2 or 1.3. TLS 1.0 and 1.1 are deprecated by RFC 8996 and have known cryptographic weaknesses; servers offering them broaden the attack surface for downgrade and padding-oracle attacks.

When this rule runs

Evaluated on every scan — observable from the URL, TLS handshake, or HTTP response headers, even when the MCP layer is auth-walled or unresponsive.

Why it matters

TLS 1.0 and 1.1 are deprecated (RFC 8996) and contain weaknesses that have driven every major browser to drop them. A modern server should refuse them outright.

Pass condition

Negotiated protocol is `TLSv1.2` or `TLSv1.3`.

Fail condition

Negotiated protocol is `TLSv1.0`, `TLSv1.1`, or older.

Evidence examples

When the rule fails, the report records evidence in roughly this shape:

```
{"protocol": "TLSv1.0"}
```

Remediation

Configure the TLS terminator to require TLS 1.2 minimum (TLS 1.3 preferred) and disable older protocol versions in the cipher policy.

Methodology

This rule belongs to the Transport security dimension. How the server is reached on the wire. Covers TLS and protocol-level confidentiality of probe traffic.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.

← Back to rule catalog