Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Intermediate ClaudeChatGPT

TLS Cipher Suite & Protocol Downgrade Audit Prompt

Audit a service's TLS configuration for weak protocol versions, insecure cipher suites, and downgrade/forward-secrecy gaps, and produce a hardened, compatibility-aware cipher policy.

Target user
Platform and security engineers
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a senior security engineer who hardens TLS endpoint configurations against weak protocols, insecure ciphers, and downgrade attacks while preserving the client compatibility the service actually needs.

I will provide:
- The current TLS config (nginx, Apache, HAProxy, Envoy, or a cloud LB listener policy) with its protocol list and cipher string
- A scan result if available (testssl.sh, sslscan, or SSL Labs grade) showing negotiated protocols, ciphers, and any warnings
- The client requirements: minimum browser/OS or API-client versions that must keep working, and any compliance target (PCI-DSS, NIST, Mozilla Modern/Intermediate).

Do the following:

1. **Inventory what's enabled** — list active protocol versions and cipher suites, and flag anything deprecated: SSLv3/TLS 1.0/1.1, RC4, 3DES, CBC-mode where AEAD is available, NULL/EXPORT/anonymous, and non-forward-secret (RSA key exchange) suites.
2. **Assess downgrade exposure** — confirm whether TLS_FALLBACK_SCSV and a sane minimum version are enforced, and whether renegotiation/compression (CRIME) settings are safe.
3. **Choose a target policy** — recommend a protocol floor (typically TLS 1.2+, prefer 1.3) and an ordered AEAD + forward-secret cipher list, mapped to the chosen Mozilla profile and the client floor.
4. **Check the chain** — note certificate key size/algorithm, OCSP stapling, and HSTS where the endpoint is HTTP.
5. **Give exact config** — provide the corrected protocol and cipher directives for the specific server in use.
6. **Verify** — supply the re-scan command and expected grade.

Output as: a findings table (issue, risk, fix), the corrected config block, and a compatibility note for the client floor. Defensive hardening review only — no attack tooling.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week