PCI compliance failing due to use of TLS v1.0

ashleyh · May 19, 2015, 6:54am

Hello

I am currently unable to get verified as PCI compliant due to the use of TLS v1.0 on port 32015. Is there a way to disable TLS v1.0 at the moment?

Regards

Ashley

TK_Liew · May 19, 2015, 3:53pm

Hi Ashley,

Can you share your PCI compliance standard for this?

ashleyh · May 19, 2015, 4:09pm

Hi

I don’t have a compliance document as such - the failure is from an third-party scanning process run by Trustwave. The details regarding the failure are below.

I think that I can probably dispute this with them provided I can show there is a plan to switch off TLSv1.0 by June 30th, 2016 so if you are able to commit to this by then, I can inform them and they’ll probably let me remain compliant for the time being.

Regards

Ashley

TLSv1.0 Supported

Severity Medium
PCI Status Fail
Description This service supports the use of the TLSv1.0 protocol. The TLSv1.0 protocol has known cryptographic weaknesses that can lead to the compromise of sensitive data within an encrypted session. Additionally, the PCI SSC and NIST have determined that the TLSv1.0 protocol no longer meets the definition of strong cryptography.
Remediation The server should be configured to disable the use of the TLSv1.0 protocol in favor of cryptographically stronger protocols such as TLSv1.1 and TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the TLSv1.0 protocol on this service is sufficient to address this finding. Organizations that are seeking to remain PCI compliant while continuing to use TLSv1.0 enabled services before June 30th, 2016 will need to dispute this finding and demonstrate that they have formal risk mitigation and migration plan.

TK_Liew · May 19, 2015, 9:08pm

Hi Ashley,

We do support TLS v1.2. At the same time, we also backward compatible (This is default and can’t change at the moment) with older firmware version which are using TLS v1.0.

We will provide an option in v6.2.1 GA to allow user to enforce TLS v1.2. Believe this can meet your requirement.

ashleyh · May 19, 2015, 9:18pm

Great - I think that should sort it - many thanks.

Do you currently have an estimated release date for v6.2.1 GA?

Regards

Ashley

Jarid_Petermann · May 19, 2015, 11:20pm

Hello Ashley,

It is currently in beta so we don’t have a official release date at this time but I would anticipate that it should be GA by the end of next month.

ashleyh · May 20, 2015, 1:55am

OK - great - many thanks

Ashley

Jupiter · May 21, 2015, 12:55am

Hi Ashley,

May I ask where do you use the TLS v1.0 and is failing to comply for PCI?

ashleyh · May 21, 2015, 12:59am

I believe that SpeedFusion supports TLS v1.0 although I guess it probably uses v1.2 by default. It is being flagged as non-compliant because it could potentially use v1.0 as I understand it.

Ashley

ashleyh · July 22, 2015, 1:58am

> We will provide an option in v6.2.1 GA to allow user to enforce TLS v1.2. Believe this can meet your requirement.

Did this feature make it into v6.2.1? If so, could you please let me know where I can set it?

Thanks

Ashley

TK_Liew · July 22, 2015, 1:35pm

Hi Ashley,

Please find the setting at screen shot below (Network > SpeedFusion).

ashleyh · July 22, 2015, 9:25pm

Many thanks - using the new setting worked fine and allowed me to pass my PCI compliance vulnerability scan.

Unfortunately however it appears that the new setting means that my Surf-On-The-Go devices can no longer connect via PepVPN even when I upgraded to the latest OTG firmware (1.0.26 build 1260).

It is possible that the OTG firmware needs to be modified too?

Regards

Ashley

TK_Liew · July 23, 2015, 11:33am

Hi Ashley,

Default setting for Backward Compatibility is always recommended. I will feedback to engineering team to look into this problem asap then revert.

If this is urgent, I suggest to use High (firmware 5.3+) for the time being.

Thank you.

TK_Liew · July 30, 2015, 8:29pm

Hi Ashley,

Please upgrade SOTG to this firmware - http://download.pepwave.com/firmware/sotg/fw_010027_build_1261.bin. It is working with TLS v1.2.

ashleyh · August 5, 2015, 3:23am

Hi

The new firmware for the SOTG works fine - many thanks for the excellent customer service.

Ashley

Alan · August 20, 2015, 8:49pm

UPDATE: Peplink is fully capable of meeting the requirements for PCI DSS 3.0 compliant networks.Click here for full details.

beasracin · September 15, 2015, 10:31pm

I have having the same issue with the Trustwave Scans.

This vulnerability is not recognized in the National Vulnerability
Database. TLS v1.0 violates PCI DSS and is considered an automatic
failing condition.

Has there been a fix made available?

TK_Liew · September 16, 2015, 11:31am

Hi,

We do support TLS v1.2. Please upgrade your Balance router to latest firmware version.

beasracin · September 16, 2015, 11:39pm

Thanks…I installed the new firmware and it looks like that have resolve the problem…I appreciate the quick reply

dajinx · June 14, 2016, 1:01pm

I am having the same issue with firmware version 6.3.1. I dont see a setting for backward compatibility in the speedfusion settings. Please help.
Thanks.