TLS 1.1 ?

Report · May 01, 2015

Hi all,

Does anyone have any knowledge as to when BC will adopt the TLS 1.1 protocol. We just got our first red flag on our monthly PCI scan, and I'm told that the changes will need to be made by June of 2016.

Thanks in advance,

Don

Report · May 01, 2015

BC told me they will be updating it.

They are PCI audited so if June is the due date I am sure they will get that sorted by then.

Report · May 01, 2015

Thanks Liam.

Report · May 05, 2015

Just to confirm, we have TLS 1.1 starting with Monday, 4th of May 2015.

Cristinel

Report · May 05, 2015

All our BC sites I visit Crisitnel still say using SHA-1

Report · May 05, 2015

The question was about supporting TLS 1.1 and we do support that and TLS 1.2 now. We will not drop support for TLS 1.0 as we don't have any reasons to do that. The only other update that we'll make is to update the certificate to use SHA-2 which will happen most likely in June.

Cristinel

Report · May 06, 2015

Sorry, got cut off, I was meant to say about on that as well as the flagging from various things, even analytical stuff is messing up stats etc at the moment.

Report · May 12, 2015

cristinel@adobe wrote:

We will not drop support for TLS 1.0 as we don't have any reasons to do that.

We just got scanned and failed due to support for TLS 1.0 support. Here is the error from the TrustWave scan:

This service supports the use of the TLSv1.0 protocol. The TLSv1.0 protocol has known cryptographic weaknesses that can lead to the compromise of sensitive data within an encrypted session. Additionally, the PCI SSC and NIST have determined that the TLSv1.0 protocol no longer meets the definition of strong cryptography.

Their recommendation is:

The server should be configured to disable the use of the TLSv1.0 protocol in favor of cryptographically stronger protocols such as TLSv1.1 and TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the TLSv1.0 protocol on this service is sufficient to address this finding.

That is a reason to drop support for TLS 1.0, is it not?

Report · May 13, 2015

Hi Wayne,

As part of the PCI certification we get scanned quarterly and do not fail. TLS 1.0 is indeed flagged as having a weak encryption, but this does not trigger a fail in the scan. Moreover, a considerable number of platforms are still supporting only TLS 1.0 so dropping it is not really an option that this point.

Could you open up a support case and upload the results of the scan? We will like to review the report results and compare it to what we get from our vendors.

Kind regards,

Cristinel

Report · May 13, 2015

Hi Christinel,

There is a big difference between "we don't have any reasons to do that" and "dropping it is not really an option that this point!" So, am I opening a support case for your intellectual curiosity "to review the report results and compare it to what we get from our vendors", or to actually help us with a solution?

Regards,
Wayne.

Report · May 13, 2015

Hi Wayne,

We would like to review the audit reports so that we can understand the objections and find a solution to the problem. The reports are usually confidential so sharing them over forum is not an option.

Cristinel

Report · Jun 08, 2015

Hi, Cristinel

We've got the same issue with TLS 1.0 and need to provide Risk Mitigation and Migration Plan till June 30 to stay PCI compliant. Can you provide information on your migration plan as it required by PCI Security Standards Council (https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement...) ?

Report · Jun 08, 2015

Please open a case with BC support and you will be assisted with the required documentation.

Cristinel

Adobe Community

TLS 1.1 ?