Weak SSL cipher on Vercel
Your server accepts old TLS versions (TLS 1.0, 1.1) or weak ciphers (RC4, 3DES, CBC). These have known vulnerabilities and are being phased out. Modern recommendations: support only TLS 1.2 and TLS 1.3, with AEAD ciphers (AES-GCM, ChaCha20). On managed platforms (Vercel, Cloudflare), this is mostly handled automatically — if your scanner flags weak ciphers, check if you have a legacy TLS setting enabled.
The fix for Vercel
Vercel
Vercel uses modern TLS by default. If flagged, check if you have a custom origin or proxy in front.
Why it matters
TLS 1.0/1.1 are deprecated by PCI DSS and most major browsers. Weak ciphers enable downgrade and padding-oracle attacks. For a serious security posture — or to meet compliance — these must be disabled.
Confirm the fix worked
Scan your Vercel site to confirm this finding is gone.
AI prompt
Apply across your codebase
Paste this into Cursor, Lovable, Bolt, v0, or Claude Code.
My SSL Labs report shows weak TLS protocols or ciphers. Tell me my current host (Vercel, Cloudflare, nginx, Apache) and give me the exact config change to require TLS 1.2 minimum and enable only modern AEAD cipher suites. After the change, tell me how to re-test with SSL Labs.FAQ
Frequently asked questions
- Will disabling TLS 1.0/1.1 break old users?
- Only users on Windows XP / very old Android. The fraction is under 0.1% on most sites. The compliance and security benefits outweigh the cost.
Related fix guides
Fix these too
Expired SSL certificate
An expired certificate breaks your site — browsers show a big red warning. Here is how to renew and set up auto-renewal.
Read moreMixed content warnings
Loading HTTP resources from an HTTPS page breaks the security guarantee. Browsers block most of it automatically now — here is how to fix the rest.
Read moreMissing HSTS header
HSTS tells browsers to always use HTTPS for your site. Without it, users can be downgraded to HTTP and have sessions stolen. Here is how to add HSTS on Vercel, Next.js, and other hosts.
Read moreFree tools