Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 4863 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PCI Scan still failing on TLS1

SteveGross

I'm still failing my PCI scans because of TLS 1.0.  I've read the forums and looked at patching the various *.conf file, but none of them contain the dreaded +TLSv1 or anything like it.

So is there a way to block all TLS 1.0 at the UTM or not?



This thread was automatically locked due to age.
Parents
  • 0

    You did not say which port is associated with the error.

    For WAF, the fix is easy (if you are on a recent firmware release)

    • Webserver Protection...
    • Web Application Firewall...
    • Advanced (tab)
    • TLS version (section)
    • Change minimum TLS version to TLS 1.2

    For SMTP,

    I would dispute the finding as stupid, but you will have to find a more diplomatic way to phrase things.   If the other end can only to TLS 1.0, your choice are to connect with weak encryption or connect with no encryption.   Weak encryption seems preferable to none.  Also encryption only matters if you are sure that you are communicating with the intended party, and that is also difficult to ensure with SMTP.  But to answer your question so you don't have to waste time arguing, I think you will find it here:

    • File name:  /var/storage/chroot-smtp/etc/exim.conf
    • Secure cipher suggestion:   tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!SSLv2
    • Secure Protocol suggestion:   openssl_options = +no_sslv3
    • Then restart the smtpd service by executing:  /var/mdw/scripts/smtp restart
Reply
  • 0

    You did not say which port is associated with the error.

    For WAF, the fix is easy (if you are on a recent firmware release)

    • Webserver Protection...
    • Web Application Firewall...
    • Advanced (tab)
    • TLS version (section)
    • Change minimum TLS version to TLS 1.2

    For SMTP,

    I would dispute the finding as stupid, but you will have to find a more diplomatic way to phrase things.   If the other end can only to TLS 1.0, your choice are to connect with weak encryption or connect with no encryption.   Weak encryption seems preferable to none.  Also encryption only matters if you are sure that you are communicating with the intended party, and that is also difficult to ensure with SMTP.  But to answer your question so you don't have to waste time arguing, I think you will find it here:

    • File name:  /var/storage/chroot-smtp/etc/exim.conf
    • Secure cipher suggestion:   tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!SSLv2
    • Secure Protocol suggestion:   openssl_options = +no_sslv3
    • Then restart the smtpd service by executing:  /var/mdw/scripts/smtp restart
Children
No Data
Unfiltered HTML