Skip to content
  • There are no suggestions because the search field is empty.

How to verify Weak Cipher Suites, check what’s enabled, and where to fix it?

Our scanner may report Weak Cipher Suites when a service supports outdated or insecure TLS encryption algorithms, such as:

  • Weak RSA

  • 3DES

  • RC4

  • CBC-based suites

Weak cipher suites can:

  • Reduce encryption strength

  • Enable downgrade or cryptographic attacks

  • Violate compliance requirements (NIST, PCI-DSS, ISO 27001)

Verify the Active Cipher Suites

To verify which cipher suites a service currently offers, run the following from a trusted system:

nmap --script ssl-enum-ciphers -p <ports> <target-ip>
 

This command lists:

  • TLS versions supported by the service

  • Cipher suites available on those ports

Application TLS vs OS TLS

Services running on the affected ports may use their own TLS stack (e.g., OpenSSL, BoringSSL) instead of the operating system default (e.g., Windows SCHANNEL).

  • If the service uses its own TLS stack, system-level TLS/cipher settings will not take effect.

  • In such cases, weak ciphers must be disabled in the application or service configuration itself.

After Changes

Once weak ciphers have been disabled:

  1. Apply the cipher/TLS changes (OS or application, depending on the TLS stack).

  2. Restart the affected service.

  3. Re-run the nmap command to confirm weak ciphers are no longer offered.

  4. Re-scan using Holm Security to verify remediation.