PCI failed for TLS version 1.0 protocol

linux-tech

• December 09, 2016 07:16

Hello, Today my customer is came up with a failed PCI report. I have enclosed a screenshot of it and pasting the error below.
+++++++++++++ Port Protocol Service CVSS 2083 TCP www 5.00 T itle FAIL TLS Version 1.0 Protocol Detection (PCI DSS) Synopsis: The remote service encrypts traffic using a protocol with known weaknesses. Impact: The remote service accepts connections encrypted using TLS 1.0. This version of TLS is affected by multiple cryptographic flaws. An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients. As per PCI Security Standards Council April 1, 2015 document `Migrating from SSL and Early TLS` all TLS 1.0 encryption usage must include a Mitigation and Migration plan detailing current risk management plus migration strategy off early TLS to secure TLS versions such as TLS 1.1 or 1.2 on or before June 30, 2016. Consult the application's documentation for information on how to upgrade TLS to version 1.1 or greater (TLS 1.2 strongly recommended) or upgrade the application to a version that uses TLS version 1.1 or greater. +++++++++
I have checked my cPanel web serivce configuration and the following is listed.
TLS / SSl Cipher lis: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5 TLS/SSL protocol : SSLv23:!SSLv2:!SSLv3
Can somebody let me know what changes I need make inorder to pass the PCI compliant.

• 

  Dave Smith

  • December 09, 2016 15:17

  Here are some good guidelines: cipherli.st/ Modify your httpd.conf (Configuration Files - Apache HTTP Server Version 2.4) to include the above (for Apache). Best regards.

  0
• 

  linux-tech

  • December 09, 2016 15:40

  Hi Smith, Thank you for the update. Here I think the issue is with cPanel ( port 2083 ) cipher or SSL suite and not with Apache .

  0
• 

  cPanelMichael

  • December 12, 2016 19:15

  Hello, You can browse to "WHM Home " Service Configuration " cPanel Web Services Configuration" and append the following entry to the existing "TLS/SSL Protocols" list:
  :!TLSv1
  The final entry would look like this if you've made no previous changes:
  SSLv23:!SSLv2:!SSLv3:!TLSv1
  You may also find this thread helpful: I need to disable TLS v1.0 Thank you.

  0

Please sign in to leave a comment.