PCI compliance failing due to use of TLS v1.0


#1

Hello

I am currently unable to get verified as PCI compliant due to the use of TLS v1.0 on port 32015. Is there a way to disable TLS v1.0 at the moment?

Regards

Ashley


#2

Hi Ashley,

Can you share your PCI compliance standard for this?


#3

Hi

I don’t have a compliance document as such - the failure is from an third-party scanning process run by Trustwave. The details regarding the failure are below.

I think that I can probably dispute this with them provided I can show there is a plan to switch off TLSv1.0 by June 30th, 2016 so if you are able to commit to this by then, I can inform them and they’ll probably let me remain compliant for the time being.

Regards

Ashley

TLSv1.0 Supported

Severity Medium
PCI Status Fail
Description This service supports the use of the TLSv1.0 protocol. The TLSv1.0 protocol has known cryptographic weaknesses that can lead to the compromise of sensitive data within an encrypted session. Additionally, the PCI SSC and NIST have determined that the TLSv1.0 protocol no longer meets the definition of strong cryptography.
Remediation The server should be configured to disable the use of the TLSv1.0 protocol in favor of cryptographically stronger protocols such as TLSv1.1 and TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the TLSv1.0 protocol on this service is sufficient to address this finding. Organizations that are seeking to remain PCI compliant while continuing to use TLSv1.0 enabled services before June 30th, 2016 will need to dispute this finding and demonstrate that they have formal risk mitigation and migration plan.


#4

Hi Ashley,

We do support TLS v1.2. At the same time, we also backward compatible (This is default and can’t change at the moment) with older firmware version which are using TLS v1.0.

We will provide an option in v6.2.1 GA to allow user to enforce TLS v1.2. Believe this can meet your requirement.


#5

Great - I think that should sort it - many thanks.

Do you currently have an estimated release date for v6.2.1 GA?

Regards

Ashley


#6

Hello Ashley,

It is currently in beta so we don’t have a official release date at this time but I would anticipate that it should be GA by the end of next month.


#7

OK - great - many thanks

Ashley


#8

Hi Ashley,

May I ask where do you use the TLS v1.0 and is failing to comply for PCI?


#9

I believe that SpeedFusion supports TLS v1.0 although I guess it probably uses v1.2 by default. It is being flagged as non-compliant because it could potentially use v1.0 as I understand it.

Ashley


#10

> We will provide an option in v6.2.1 GA to allow user to enforce TLS v1.2. Believe this can meet your requirement.

Did this feature make it into v6.2.1? If so, could you please let me know where I can set it?

Thanks

Ashley


#11

Hi Ashley,

Please find the setting at screen shot below (Network > SpeedFusion).



Balance One - TLS 1.0
#12

Many thanks - using the new setting worked fine and allowed me to pass my PCI compliance vulnerability scan.

Unfortunately however it appears that the new setting means that my Surf-On-The-Go devices can no longer connect via PepVPN even when I upgraded to the latest OTG firmware (1.0.26 build 1260).

It is possible that the OTG firmware needs to be modified too?

Regards

Ashley


#13

Hi Ashley,

Default setting for Backward Compatibility is always recommended. I will feedback to engineering team to look into this problem asap then revert.

If this is urgent, I suggest to use High (firmware 5.3+) for the time being.

Thank you.


#14

Hi Ashley,

Please upgrade SOTG to this firmware - http://download.pepwave.com/firmware/sotg/fw_010027_build_1261.bin. It is working with TLS v1.2.


#15

Hi

The new firmware for the SOTG works fine - many thanks for the excellent customer service.

Ashley


#16

UPDATE: Peplink is fully capable of meeting the requirements for PCI DSS 3.0 compliant networks.Click here for full details.


#17

I have having the same issue with the Trustwave Scans.

This vulnerability is not recognized in the National Vulnerability
Database. TLS v1.0 violates PCI DSS and is considered an automatic
failing condition.

Has there been a fix made available?


#18

Hi,

We do support TLS v1.2. Please upgrade your Balance router to latest firmware version.


#19

Thanks…I installed the new firmware and it looks like that have resolve the problem…I appreciate the quick reply


#20

I am having the same issue with firmware version 6.3.1. I dont see a setting for backward compatibility in the speedfusion settings. Please help.
Thanks.