This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PCI Scan still failing on TLS1

I'm still failing my PCI scans because of TLS 1.0.  I've read the forums and looked at patching the various *.conf file, but none of them contain the dreaded +TLSv1 or anything like it.

So is there a way to block all TLS 1.0 at the UTM or not?



This thread was automatically locked due to age.
  • I am as well. There is an option for the Webserver protection for the reverse proxy to increase it to 1.1 or 1.2 but not the portal page or the mail gateway etc..

  • You did not say which port is associated with the error.

    For WAF, the fix is easy (if you are on a recent firmware release)

    • Webserver Protection...
    • Web Application Firewall...
    • Advanced (tab)
    • TLS version (section)
    • Change minimum TLS version to TLS 1.2

    For SMTP,

    I would dispute the finding as stupid, but you will have to find a more diplomatic way to phrase things.   If the other end can only to TLS 1.0, your choice are to connect with weak encryption or connect with no encryption.   Weak encryption seems preferable to none.  Also encryption only matters if you are sure that you are communicating with the intended party, and that is also difficult to ensure with SMTP.  But to answer your question so you don't have to waste time arguing, I think you will find it here:

    • File name:  /var/storage/chroot-smtp/etc/exim.conf
    • Secure cipher suggestion:   tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!SSLv2
    • Secure Protocol suggestion:   openssl_options = +no_sslv3
    • Then restart the smtpd service by executing:  /var/mdw/scripts/smtp restart
  • I'm with Doug, Steve.  I try to get my customers to try companies that another client hasn't yet tried, but, so far, they just run an automated test and then automatically send a canned report that shows the results.  No one at the scanning company looks at the report.  The companies have no mechanism to mark specific "fails" as false positives.  There is likely no one at the company that could explain anything on the test to you.  You need to document your proof to them and then review the next report to see if anything needs to be added to your document before you send it to them with the notation that you're looking for a company with better systems.

    If anyone has a good suggestion, please PM me the company name and the name of the product of theirs that you're using.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • We use Trustwave.  They have a process for appealing issues.   Once an appeal is approved, it is retained for future scans.   I have not won every appeal, but overall I am satisfied with their producit.