Skip to main content

Validate TLS SSL Hardening

Overview

This script validates that insecure protocols (SSL 3.0, TLS 1.0, TLS 1.1) and specified weak cipher suites are disabled at both the server and client levels on the system, while ensuring TLS 1.2 and TLS 1.3 are enabled when supported, providing a clear PASS/FAIL status without making any changes.

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Sample Run

Play Button > Run Automation > Script

SampleRun1

Dependencies

Automation Setup/Import

Automation Configuration

Output

  • Activity Details

Changelog

2026-06-18

  • Updated the script to validate that TLS 1.2 and TLS 1.3 are enabled when supported by the operating system. The script now updates the cpvalTlsSslHardeningRequired custom field if any insecure protocol is enabled, any weak cipher suite is present, or if TLS 1.2 and/or TLS 1.3 are not enabled when supported.

2026-04-10

  • Initial version of the document.