Question - Penetration Testing Issue

icalrahmanhts29 · March 18, 2024, 10:05am

Hi Sam, Esteban and team of Eramba,

I have some issue from our client after penetration testing is done.

The remote service encrypts traffic using an older version of TLS.	The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic design flaws. Modern implementations of TLS 1.0 mitigate these problems, but newer versions of TLS like 1.2 and 1.3 are designed against these flaws and should be used whenever possible. As of March 31, 2020, Endpoints that arenâ€™t enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major vendors. PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits.	Enable support for TLS 1.2 and 1.3, and disable support for TLS 1.0.
The remote service encrypts traffic using an older version of TLS.	The remote service accepts connections encrypted using TLS 1.1. TLS 1.1 lacks support for current and recommended cipher suites. Ciphers that support encryption before MAC computation, and authenticated encryption modes such as GCM cannot be used with TLS 1.1 As of March 31, 2020, Endpoints that are not enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major vendors.	Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1.

david.schroth · March 18, 2024, 11:01am

Is this on a local hosted or SaaS instance?

Also, of note, the finding wording is likely incomplete - you can likely connect using TLS 1.2 or 1.3 and usually will as TLS 1.1 and below are only tried if the better connections fail (hello, IE8 users). It does not mean that all traffic is encrypted that way.

That being said, this should be a simple change to make for on premium - either a docker configuration adjustment or for source installs, and adjustment to your web server configuration. Of course, I do think the default shipped configuration should already be set for 1.2/1.3 only.

I checked the SaaS demo using SSL Labs and it appears to be an AWS load balancer that only takes 1.2 and 1.3.

kisero · March 18, 2024, 11:27am

you need to contact whoever manages that installation, probably some technical team in your organisation. we do not host this instance for sure, saas runs very different settings.