PCI Scan still failing on TLS1

Question

I'm still failing my PCI scans because of TLS 1.0. I've read the forums and looked at patching the various *.conf file, but none of them contain the dreaded +TLSv1 or anything like it. 
 So is there a way to block all TLS 1.0 at the UTM or not?

DouglasFoster · Answer

You did not say which port is associated with the error. 
 For WAF, the fix is easy (if you are on a recent firmware release) 
 
 Webserver Protection... 
 Web Application Firewall... 
 Advanced (tab) 
 TLS version (section) 
 Change minimum TLS version to TLS 1.2 
 
 For SMTP, 
 I would dispute the finding as stupid, but you will have to find a more diplomatic way to phrase things. If the other end can only to TLS 1.0, your choice are to connect with weak encryption or connect with no encryption. Weak encryption seems preferable to none. Also encryption only matters if you are sure that you are communicating with the intended party, and that is also difficult to ensure with SMTP. But to answer your question so you don't have to waste time arguing, I think you will find it here: 
 
 File name: /var/storage/chroot-smtp/etc/exim.conf 
 Secure cipher suggestion: tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!SSLv2 
 Secure Protocol suggestion: openssl_options = +no_sslv3 
 Then restart the smtpd service by executing: /var/mdw/scripts/smtp restart