TLSv1.0 Supported

-1

Got a job for a company with no personalIT experience and was given the task of working on compliance issues. The issue is "TLSv1.0 Supported", the research I have done shows it is a application layer problem in the IP Suite. How would I go about fixing this issue as when I went to the National Vulnerability Database, It does not show this Vulnerability, is it a relatively new Vulnerability? How do I go about fixing this issue?

Curtis Barnes

Posted 2017-01-03T17:43:09.223

Reputation: 3

Question was closed 2017-01-04T00:12:09.977

the company has no IT experience... or you don't? Your opening sentence is somewhat ambiguous. – Tetsujin – 2017-01-03T17:44:57.870

Which services support TLS? Typically this would be a webserver. Which webserver software are you using? – heavyd – 2017-01-03T17:46:22.810

I don't have any for clarification. – Curtis Barnes – 2017-01-03T17:50:01.537

1"It does not show this Vulnerability" - What vulnerability. There are dozens of TLS/SSL vulerabilties that exist currently. You do realize that you should be trying to support TLSv1.2 and TLSv1.3 instead of v1.0 right? You should reject TLSv1.0, due to it allowing you, to downgrade the secure connection to SSL 3.0 which has its own vulerabiltiies. – Ramhound – 2017-01-03T17:50:54.853

@Longnius - If you do not have any clarification then we cannot help you. You need to get that clarification, edit your question, then and only then can we help you. – Ramhound – 2017-01-03T17:51:12.317

@ramhound duly noted. How would I go about upgrading the current version of TLS from v1.0 to the latest v1.3? – Curtis Barnes – 2017-01-03T17:55:52.873

@Longnius - v1.3 is currently in a draft standard. You should simply focus on TLS v1.2+ support. – Ramhound – 2017-01-03T17:57:30.337

#ramhound Okay, what steps should I take to upgrade from V1.0 to V1.2? If you feel inclined to take it a step further in explanation. – Curtis Barnes – 2017-01-03T18:01:09.423

@Longnius, you should check out https://www.ssllabs.com/ssltest/

– heavyd – 2017-01-03T18:08:11.530

@Longnius - You need to provide the required clarification to your question. I have no idea which SSL/TLS vulerability your trying to protect your system from. "it is a application layer problem in the IP Suite" - unfortunately this tells me absolutely nothing helpful. – Ramhound – 2017-01-03T18:09:12.783

@Ramhound sadly this is all I have to go on, this report for PCI-DSS was given to me and I am only able to extrapolate the data they give me. – Curtis Barnes – 2017-01-03T18:18:30.213

Well on that report they probably told you which server they scanned or something. Go figure out the OS and software on that server, and see if it can be upgraded, or have the configuration changed. – Zoredache – 2017-01-03T18:20:01.970

@Longnius - If you are unable to provide the technical details, then it's literally, not possible for me to explain HOW you would start supporting TLS v1.2 if the system does not already support it. Of course PCI-DSS tells me a great deal, it tells me your dealing with payment information, specifically and very likely a website. This means your SSL certificate should created in a way that TLS 1.2 support is possible and your web server backend is configure to only support TLS 1.2 – Ramhound – 2017-01-03T18:23:34.220

@Ramhound I understand your frustrations and agree that the information provided is not enough for a beginner to even a seasoned IT professional. Thank you for your input though as it has been very helpful and I do appreciate it. I wish I could provide you with more details. – Curtis Barnes – 2017-01-03T18:28:26.213

You could. You just have to seek those details out from somebody within your company that has that information. – Ramhound – 2017-01-03T18:31:22.827

@Ramhound I am the only IT person here. Company had an outage for 5 days before the company they outsourced their IT too contacted them. They switched and hired me, both paying for my schooling so that they can invest in me and that I can learn from them. – Curtis Barnes – 2017-01-03T18:34:10.190

@Longnius do you know what software was being audited? Or which servcie? What operating system are you running? – heavyd – 2017-01-03T18:35:41.940

2If you are being trained, which you indicate you are by the fact you said "and that I can learn from them", you need to talk to "them". So you are an individual, that has no experience and are being, but are expected to something without any help from anyone that has that experience. It sounds like you are being setup to fail. – Ramhound – 2017-01-03T18:35:59.250

If not set up to fail, then the company really has zero clue about the problems they are facing & think it's something that can be dealt with by a 'learner on the job'. They've dropped the old, presumably expensive, company & gone low budget. @Longnius - you're either going to have to learn fast or get out quick :/ – Tetsujin – 2017-01-03T19:01:09.497

@ramhound
After talking to my boss, the way it was now explained (much different from earlier) is that they are continuing to use the company but want me to slowly take their place. I will get a list of services this company provides such as hosting the website, server and etc so that I can further give more details. Just to get a good idea on what to ask, would you be able to provide me with a couple of things I should ask to make things easier? – Curtis Barnes – 2017-01-03T19:26:24.887

@Longnius - I will be unable to teach your job to you, so you know what questions to ask, you will have to determine those on your own. – Ramhound – 2017-01-03T20:00:45.330

@Ramhound I am asking for general questions you would recommend, not for my job to be taught to me. It helps to be pointed in a general direction instead of no direction, but I understand. – Curtis Barnes – 2017-01-03T20:03:17.560

We have already given you a handful of questions we need answers to. It sounds like you should be doing more research, and have a better understanding, of what your current task is. – Ramhound – 2017-01-03T20:05:37.947

Answers

0

Since we have no idea what OS you have, server software, or anything of the kind I will offer some general information to point you in the right direction.

Note: It is quite possible that major configuration changes may effect other software running on the system. It is best to have a full back up of the server before you begin. It is even better to restore that backup to a virtual machine, and test the changes there before implementing them in production.

If your company doesn't already have a certificate for SSL, you will need to purchase one, for example here: https://www.digicert.com/ Preferably, EV cert. For personal use lets encrypt is fine, but you need to pass compliance so it isn't going to be good enough.

On linux servers and/or PC First you need to make sure you have a supported version of openssl. In many cases this means updating your libssl and/or libopenssl. https://www.openssl.org/

The most common are web servers like apache and nginx.

  1. update your SSL library
  2. update web server
  3. Change web server configure to only use TLS.

Most linux distributions have built-in package managers. Consult the documentation for which one your linux supports, but here are some examples. You probably want to stick with an update for now, as upgrade make sweeping system wide changes. Even so, this is why we do a full backup incase something bad happens.

apt-get update
apt-get upgrade
apt-get distro

zypper update
zypper dup

What to plan for. Many version upgrades of apache have configuration changes, and apache may initially fail to start. You will have to view the log files to know where the errors are located. Then consult google and apache's web site to update the configuration. Some times located in /var/log/apache/error_log

For apache at least these options need to be set. You may choose to alter the list of allowed things, but it works for me.

In ssl-global.conf

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
       #   Point SSLCertificateFile at a PEM encoded certificate.
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

Windows PC

Windows Server 2003 does not support the TLS 1.2 protocol.

https://www.basics.net/2015/10/06/iis-7-5-how-to-enable-tls-1-1-and-tls-1-2/

Most versions of windows have TLS support. They probably use IIS.

It is possible if they have super old versions of either you may need to upgrade.

Then you need to edit the configuration to disable SSL all versions.

cybernard

Posted 2017-01-03T17:43:09.223

Reputation: 11 200

You might replace "update openSSL" with a more general "update your SSL library" since the author has basically indicate their knowlege is extremely limited. – Ramhound – 2017-01-03T22:39:43.067

Asked: 2017-01-03T17:43:09.223

Viewed: 274 times

Active: 2017-01-03T23:06:15.787