Will It Vibe logoWill It Vibe?
TF-020Low severity-4 points

Weak TLS policy on a listener or distribution

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

A deprecated ELB security policy or a minimum protocol version of TLS 1.0/1.1 (or SSLv3) allows clients to negotiate protocol versions with known weaknesses.

Why it matters

A deprecated ELB security policy or a minimum protocol version of TLS 1.0, TLS 1.1, or SSLv3 lets clients negotiate old protocol versions with known weaknesses such as BEAST and POODLE. Attackers can exploit these to downgrade or read traffic. Current guidance is a floor of TLS 1.2.

How to fix it

Set ssl_policy to a current TLS 1.2-or-higher policy (for example ELBSecurityPolicy-TLS13-1-2-2021-06), and set minimum_protocol_version to TLSv1.2_2021 or later on CloudFront distributions. Check client compatibility before dropping older versions, though nearly all modern clients support TLS 1.2. Standardize the policy across all listeners.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks