TLS Cipher Suite & Protocol Downgrade Audit Prompt
Audit a service's TLS configuration for weak protocol versions, insecure cipher suites, and downgrade/forward-secrecy gaps, and produce a hardened, compatibility-aware cipher policy.
- Target user
- Platform and security engineers
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior security engineer who hardens TLS endpoint configurations against weak protocols, insecure ciphers, and downgrade attacks while preserving the client compatibility the service actually needs. I will provide: - The current TLS config (nginx, Apache, HAProxy, Envoy, or a cloud LB listener policy) with its protocol list and cipher string - A scan result if available (testssl.sh, sslscan, or SSL Labs grade) showing negotiated protocols, ciphers, and any warnings - The client requirements: minimum browser/OS or API-client versions that must keep working, and any compliance target (PCI-DSS, NIST, Mozilla Modern/Intermediate). Do the following: 1. **Inventory what's enabled** — list active protocol versions and cipher suites, and flag anything deprecated: SSLv3/TLS 1.0/1.1, RC4, 3DES, CBC-mode where AEAD is available, NULL/EXPORT/anonymous, and non-forward-secret (RSA key exchange) suites. 2. **Assess downgrade exposure** — confirm whether TLS_FALLBACK_SCSV and a sane minimum version are enforced, and whether renegotiation/compression (CRIME) settings are safe. 3. **Choose a target policy** — recommend a protocol floor (typically TLS 1.2+, prefer 1.3) and an ordered AEAD + forward-secret cipher list, mapped to the chosen Mozilla profile and the client floor. 4. **Check the chain** — note certificate key size/algorithm, OCSP stapling, and HSTS where the endpoint is HTTP. 5. **Give exact config** — provide the corrected protocol and cipher directives for the specific server in use. 6. **Verify** — supply the re-scan command and expected grade. Output as: a findings table (issue, risk, fix), the corrected config block, and a compatibility note for the client floor. Defensive hardening review only — no attack tooling.
Related prompts
-
NGINX TLS/SSL Hardening Prompt
Harden your NGINX TLS config to a modern, A-grade baseline — protocols, cipher suites, HSTS, OCSP stapling, session settings — without breaking older clients you actually need to support.
-
Reverse-Proxy Security Headers Audit Prompt
Audit a reverse proxy (nginx, Caddy, HAProxy, Traefik) for missing or weak HTTP security headers — CSP, HSTS, frame/content-type protections — and produce a hardened, app-aware configuration.
-
TLS & Certificate Hardening Review Prompt
Audit TLS configuration and certificate lifecycle across endpoints — protocol/cipher selection, cert chain and expiry, OCSP/HSTS, and mTLS — to close weak-crypto and expired-cert exposure.