Copy link to clipboard
Copied
Hi all,
Does anyone have any knowledge as to when BC will adopt the TLS 1.1 protocol. We just got our first red flag on our monthly PCI scan, and I'm told that the changes will need to be made by June of 2016.
Thanks in advance,
Don
Copy link to clipboard
Copied
BC told me they will be updating it.
They are PCI audited so if June is the due date I am sure they will get that sorted by then.
Copy link to clipboard
Copied
Thanks Liam.
Copy link to clipboard
Copied
Just to confirm, we have TLS 1.1 starting with Monday, 4th of May 2015.
Cristinel
Copy link to clipboard
Copied
All our BC sites I visit Crisitnel still say using SHA-1
Copy link to clipboard
Copied
The question was about supporting TLS 1.1 and we do support that and TLS 1.2 now. We will not drop support for TLS 1.0 as we don't have any reasons to do that. The only other update that we'll make is to update the certificate to use SHA-2 which will happen most likely in June.
Cristinel
Copy link to clipboard
Copied
Sorry, got cut off, I was meant to say about on that as well as the flagging from various things, even analytical stuff is messing up stats etc at the moment.
Copy link to clipboard
Copied
cristinel@adobe wrote:
We will not drop support for TLS 1.0 as we don't have any reasons to do that.
We just got scanned and failed due to support for TLS 1.0 support. Here is the error from the TrustWave scan:
This service supports the use of the TLSv1.0 protocol. The TLSv1.0 protocol has known cryptographic weaknesses that can lead to the compromise of sensitive data within an encrypted session. Additionally, the PCI SSC and NIST have determined that the TLSv1.0 protocol no longer meets the definition of strong cryptography.
Their recommendation is:
The server should be configured to disable the use of the TLSv1.0 protocol in favor of cryptographically stronger protocols such as TLSv1.1 and TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the TLSv1.0 protocol on this service is sufficient to address this finding.
That is a reason to drop support for TLS 1.0, is it not?
Copy link to clipboard
Copied
Hi Wayne,
As part of the PCI certification we get scanned quarterly and do not fail. TLS 1.0 is indeed flagged as having a weak encryption, but this does not trigger a fail in the scan. Moreover, a considerable number of platforms are still supporting only TLS 1.0 so dropping it is not really an option that this point.
Could you open up a support case and upload the results of the scan? We will like to review the report results and compare it to what we get from our vendors.
Kind regards,
Cristinel
Copy link to clipboard
Copied
Hi Christinel,
There is a big difference between "we don't have any reasons to do that" and "dropping it is not really an option that this point!" So, am I opening a support case for your intellectual curiosity "to review the report results and compare it to what we get from our vendors", or to actually help us with a solution?
Regards,
Wayne.
Copy link to clipboard
Copied
Hi Wayne,
We would like to review the audit reports so that we can understand the objections and find a solution to the problem. The reports are usually confidential so sharing them over forum is not an option.
Cristinel
Copy link to clipboard
Copied
Hi, Cristinel
We've got the same issue with TLS 1.0 and need to provide Risk Mitigation and Migration Plan till June 30 to stay PCI compliant. Can you provide information on your migration plan as it required by PCI Security Standards Council (https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement...) ?
Copy link to clipboard
Copied
Please open a case with BC support and you will be assisted with the required documentation.
Cristinel