The Top 10 SSL/TLS Misconfigurations We See in 2026

Most SSL failures aren't dramatic. The certificate is valid, the protocol is modern, and the connection completes — but a small misconfiguration drags the security grade from A+ to C and leaves real attack surface. Here are the ten patterns we keep seeing, ranked by how often they appear in our scans and how much damage they actually do.

How we ranked these. Frequency is taken from a combination of our own public-scanner traffic since January 2026, Qualys SSL Labs' long-running SSL Pulse survey of the Tranco Top 1M, and Cloudflare Radar's published TLS metrics. Impact is editorial: how much risk each issue carries when it occurs.

1. Incomplete Certificate Chain

What it looks like: Your leaf certificate is served, but one or more intermediate certificates are missing. Modern desktop browsers cache intermediates and often hide the problem; mobile clients, command-line tools, and some load balancers choke on it.

Why it happens: The cert was installed without its chain bundle, or the deploy script copies only the leaf .crt file. CA-issued PEM bundles include the chain — people skip it because "it works in my browser."

The fix: Serve the full chain. On nginx, use a combined fullchain.pem in ssl_certificate. On Apache, set SSLCertificateChainFile or include the chain in the main certificate file (Apache 2.4.8+).

2. HSTS Missing or Weak

What it looks like: No Strict-Transport-Security header, or a header with max-age under one year, or includeSubDomains missing, or preload declared but the domain isn't on the preload list.

Why it happens: HSTS gets added "just enough to pass the audit." Teams avoid includeSubDomains because some forgotten subdomain still runs HTTP. That's a problem to fix, not a reason to weaken HSTS on the apex.

The fix: 

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Two years (63072000) is the preload-list minimum. Audit all subdomains for HTTPS support before adding includeSubDomains.

3. Outdated Protocols Still Enabled

What it looks like: TLS 1.0 or TLS 1.1 still negotiable. Occasionally even SSLv3 on legacy admin panels.

Why it happens: Long-running CentOS 7 hosts. WAFs configured for compatibility with "a legacy partner" who left in 2019. Load balancers running custom cipher templates that were never updated.

The fix: Enable only TLS 1.2 and TLS 1.3. RFC 8996 formally deprecated TLS 1.0 and 1.1 in March 2021; PCI DSS 4.0 disallows them entirely as of March 2025. 

# nginx
ssl_protocols TLSv1.2 TLSv1.3;

# Apache
SSLProtocol -all +TLSv1.2 +TLSv1.3

4. CBC Cipher Suites Still in the Mix

What it looks like: AES128-SHA, ECDHE-RSA-AES256-SHA384, or anything ending in -CBC. These are technically allowed in TLS 1.2 but vulnerable to padding oracle attacks (BEAST, Lucky13, POODLE-TLS variants) and have been replaced by AEAD ciphers.

The fix: Restrict to AEAD — AES-GCM and ChaCha20-Poly1305 — with ECDHE key exchange. TLS 1.3 enforces AEAD by design; for TLS 1.2 you set this explicitly. 

ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';

5. RSA Key Exchange Still Allowed

What it looks like: Cipher suites beginning TLS_RSA_WITH_ appear in the supported list. These use RSA key transport rather than ECDHE/DHE, meaning no forward secrecy, and they're the ones vulnerable to ROBOT (2017).

The fix: Disable RSA key exchange entirely. Modern clients all support ECDHE; the only thing you preserve by keeping RSA-KEX is "compatibility" with attackers.

6. Mixed Content on HTTPS Pages

What it looks like: An HTTPS page loads an HTTP image, script, or font. Browsers block active mixed content (scripts, CSS) outright, but show silent warnings for passive mixed content (images). Either way, your padlock is broken.

Why it happens: Hardcoded absolute URLs in CMS templates. Third-party embeds that haven't migrated. A relative image path that resolves through an HTTP redirect.

The fix: Add a CSP directive to enforce it. Browsers will then auto-upgrade or block, and report the violations. 

Content-Security-Policy: upgrade-insecure-requests; block-all-mixed-content

7. Wildcard Wildly Mis-scoped

What it looks like: A single *.example.com wildcard cert installed on dozens of hosts running unrelated services — the marketing site, the admin panel, the payment gateway, and the Kubernetes ingress. One private-key compromise and the whole estate falls.

The fix: Use per-service certificates wherever possible. Wildcards are for cases where you genuinely need them (dynamic subdomain creation, dev environments) — not as a cheat code to avoid the renewal process. Short-lived per-service certs from ACME automation cost nothing more than wildcards and limit blast radius dramatically.

8. CAA Record Missing or Permissive

What it looks like: No CAA record on the domain, or one that allows any CA. Every public CA is required to honour CAA, but if you don't publish one, every public CA is allowed.

Why it matters: CAA is the cheapest control against rogue or misdirected issuance. If your CA is Let's Encrypt, say so — explicitly. 

example.com.  IN  CAA  0 issue       "letsencrypt.org"
example.com.  IN  CAA  0 issuewild   "letsencrypt.org"
example.com.  IN  CAA  0 iodef       "mailto:security@example.com"

Check yours with our CAA checker.

9. Subdomain Without HTTPS

What it looks like: Your apex is A+. Then someone scans mail.example.com, old.example.com, or internal.example.com and finds a self-signed cert from 2018 or no HTTPS at all. HSTS with includeSubDomains would break these — which is why nobody enabled it.

The fix: Inventory every public hostname (Certificate Transparency logs are the easiest place to find them). Either bring each one up to standard or retire it. Then enable includeSubDomains.

10. No Monitoring — Discovered by an Outage

What it looks like: The most common pattern. Everything was fine when the cert was installed. Eighteen months later, the auto-renew silently failed because the deploy hook never reloaded the server, and the team finds out from a Twitter post.

The fix: External monitoring that hits the served certificate, not the file system. Alert at 14, 7, 3 days. Watch CT logs for unexpected issuance. Cover every hostname. Don't trust the automation — verify it from outside.

What's Improving (And What Isn't)

Improving

  • TLS 1.3 adoption. Above 80% of TLS handshakes on the public web, per Cloudflare Radar (2025).
  • Forward secrecy. Effectively universal on top-million sites, per Qualys SSL Pulse.
  • Free DV certificates. Let's Encrypt + Google Trust Services + Cloudflare have pushed the HTTPS adoption rate above 95% on the top-million.
  • HSTS adoption. Slow but rising; preload-list submissions hit their highest ever in 2025.

Not improving

  • Server signature algorithms. SHA-1 in chains is gone, but SHA-256 dominates where SHA-384 would be sensible for high-value services.
  • Email security (SPF/DKIM/DMARC) on small business domains. Despite Gmail/Yahoo/Outlook enforcement, the long tail is still wide open.
  • Cipher hygiene on internal endpoints. Public hosts get the attention; admin interfaces and APIs lag by years.

Scan Your Server

The fastest way to find which of these apply to you is to scan. Our public scanner reports every issue above, in plain English, with a grade.

Scan Your Server Now

Related Articles

SSL Best Practices → Common Vulnerabilities → Security Headers →