What it is
A TLS connection is negotiated using a protocol version (SSL 2.0/3.0, TLS 1.0 through 1.3) and a cipher suite. The older versions and several legacy ciphers have known cryptographic weaknesses, yet servers often keep accepting them for backwards compatibility long after they should be turned off.
Why it matters
SSL 2.0 and 3.0 are broken and TLS 1.0/1.1 are deprecated; continuing to accept them lets an attacker who can influence the connection force a weak handshake. Legacy ciphers (NULL, export-grade, RC4, MD5-based, and DES/3DES) similarly weaken or remove the protection HTTPS is supposed to provide. Disabling them is a one-time configuration change with no downside for modern clients.
How WebGuard checks it
WebGuard inspects the TLS handshake your endpoint offers and reports legacy protocol versions (SSL 2.0/3.0 as critical, TLS 1.0/1.1) and weak cipher suites (NULL, export-grade, RC4, MD5, DES/3DES). It observes the handshake your server already presents. This is read-only, with no exploitation.
A sensible starting configuration:
Minimum protocol: TLS 1.2 (prefer TLS 1.3). Disable RC4, 3DES, export-grade, and NULL ciphers.