An external penetration test vendor flagged our Auth0 domain URL as having potential security vulnerabilities because it doesn’t have TLS 1.0 disabled, and because of use of what is considered to be a weak SSL cipher (TLS_RSA_WITH_3DES_EDE_CBC_SHA) with key length of less than 128 bits.
Is there any way to configure Auth0 to disable use of TLS 1.0 and weak ciphers?
Let me get in touch with our Security Team @yoni.rabinovitch!
So I managed to find out that modern TLS, which offers TLS 1.2 only and a better cipher suite, is available for cloud customers using custom domains with Auth0 managed certificates. You can open a support ticket to request to opt-in to modern config.
Thanks very much, will do!
No worries! We’re here for you!
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.
Hey there Folks!
Little update from here. Now you can do that yourself!
Here’s how to achieve that: