PCI Compliance - TLSv1.0 Encryption Support

**Bob** · 04-27-2016, 08:29 AM

Trustkeeper and other providers have begun failing sites during PCI Compliance scans for TLS 1.0 Encryption support.

This is one of those areas where PCI compliance may drive changes that could cause issues for some sites as many older applications may still rely on TLSv1.0, such as Android 4.2 and earlier.

We are asking our site owners to post in the included Poll as to whether they would be affected by dropping support for TLSv1.0, as well as posting why dropping, or keeping, TLSv1.0 support would be preferable.

-Bob

**Terra** · 05-04-2016, 05:19 AM

...bump...

*Wassercrats* · 05-04-2016, 12:55 PM

What are the most popular tools that would break if you dropped support for v 1.0? Would visitors to my website who use IE 6 not be able to view it? I selected "What the heck is TLS 1.0."

**Kevin** · 05-04-2016, 01:06 PM

If you have a browser you want to check you can check it here: https://www.ssllabs.com/ssltest/viewMyClient.html

**Kevin** · 05-04-2016, 01:23 PM

As far as IE6 goes, by default it only supports SSL2 and SSL3 by default. It is possible to configure it to do TLS1.0. Here are the steps: http://www.ccnow.com/files/How_to_En...S_v1_in_IE.pdf

So, we have already disabled support for IE6 in the default configuration. This change would be the final end of support for IE6 in any configuration.

As far as "What the heck is TLS 1.0." goes, it is the 1999 replacement for SSL 3.0 which itself was replaced by TLS 1.1 in 2006. The current version is TLS 1.2 as of 2008.

**Terra** · 09-22-2016, 06:52 PM

Due to client reported issues with PCI compliance scanning and the grace period has now expired, we have officially deprecated TLSv1.0 in the mail protocols...

I am currently working on disabling it in the ApacheSSL engines as well and will post up when that work has been completed...

If you encounter any problems with the removal of TLSv1.0, please let us know which browser or email client you are using...

*hobbes* · 09-22-2016, 06:59 PM

Is that why email started failing for me 30 mins ago? Outlook/Win and Mail/iOS

*hobbes* · 09-22-2016, 07:11 PM

Can we get the email change undone pending guidance on how to reconfigure mail apps?

**Terra** · 09-22-2016, 07:13 PM

The ApacheSSL engines have been updated as well...

Currently, we support all PCI compliant SSL protocols and have disabled the ones that are not:
non-compliant: SSLv2, SSLv3, TLSv1.0
compliant: TLSv1.1, TLSv1.2

As an aside, TLSv1.1 was defined in April of 2006...

**Terra** · 09-22-2016, 07:18 PM

Hobbes, if it is for a MQS, then yes, but if a Community Server - then no...

On the topic of mail apps, I think they will need to be upgraded to a version that supports >= TLSv1.1

Overall, I don't necessarily like having to do this, but PCI Compliance finally pushed our hand as some of our clients were unable to get certified today... Also, we can't just disable TLSv1.0 for specific clients, as the daemons handle all connections for that server...