Are you using the modern and secure SSL/TLS in Magento 2?

Make sure that your Magento 2 store is not vulnerable to POODLE attack. You should update your website as soon as possible if you still use TLSv1.1.

Picture for Are you using the modern and secure SSL/TLS in Magento 2?
Vector Vectors by Vecteezy
Author's photo
Matt Chad
February 05, 2025

In March 2020 the support for TLSv1.1 has been deprecated.

You may ask: is my store using the most secure encryption? Is my server protected against malicious users?

In this article you will learn how to verify and set up the correct SSL/TLS configuration for your Magento 2 store.

Check server connection security

Verify your website against SSL vulnerabilities here: https://www.ssllabs.com/ssltest/ Remember to mark the checkbox: Do not show the results on the boards.

If your scan results are not green, continue reading to learn how to secure your Magento 2 store.

Understand the issue

With enough effort and time, you can break into every vault. We may safeguard valuable data only by preventing access to it.

Establishing connection from client to the web server relies on agreement between machines. They decide how to transfer data that's understandable for both of them.

Various hardware and software vendors adopt modern security standards at their own pace. Permissive configurations can handle more clients, but at risk of the overall security. That’s the price of backward compatibility.

For SSL vulnerabilities, the attacker is trying to downgrade connection security version. Communication with lower-quality mode is an open door for security breaches.

When you allow the server to use older SSL/TLS versions, you’re introducing possible vulnerabilities to be exploited.

In other words, if your Magento 2 store allows outdated SSL/TLS versions, hackers can exploit vulnerabilities like POODLE to steal sensitive customer data. This could lead to financial loss and cause damage to your store's reputation.

Only TLSv1.3 is immune to POODLE and LOGJAM attacks, but not all clients support TLSv1.3. If you care about customers with older browsers and devices, stick with version 1.2 using strong ciphering (at least 768 or 1024, depending on the algorithm).

Watch this video for a quick explanation of why upgrading to TLS 1.2 and 1.3 is crucial for your Magento 2 store's security:

Enforce minimal version in Nginx

In the listen section of Nginx config, replace ssl_protocols line with:

ssl_protocols TLSv1.2 TLSv1.3;

That should be enough to mitigate most issues related to older SSL/TLS versions.

If your website is behind a firewall, e.g. Cloudflare, AWS WAF, there is a simple switch that lets you apply the desired TLS version. Just refer to the relevant documentation.

Benefits of Using TLS 1.2 & 1.3

The most recent versions of TLS improve both security and performance of your website. Elliptic curve algorithms available for TLSv1.2 are much faster than RSA. Optimizations reduce the amount of resources spent by the server on encryption. This decreases website response latency, resulting in better user experience.

Need help securing your Magento 2 store? Get expert assistance today!

Further reading

If you want to learn more about SSL/TLS vulnerabilities, check out this article.

Consulting avatar

Do you need assistance with your Magento 2 store?

Yes, I need help

Share this post

Find more posts by tags
Explore all tags