Jump to content
ITSourcePro

Support for TLS 1.2 on Agent for PCI 3.2 Compliance

Recommended Posts

Per PCI 3.2, TLS 1.0 will soon be required to be disabled. We tested this out on a few of our servers with Pulseway and after doing so the Pulseway Agent on the server stop reporting into the Pulseway Console. When trying to verify the account on the Pulseway Manager 5.1 we got the following error:

An error occurred while receiving the HTTP response to https://ws15.pulseway.com/Server.svc. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to theservice shutting down). See server logs for more details.

The only way to fix it was to re-enable the TLS 1.0 Client Protocol here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client

I checked Pulseway's SSL Cert on Qualys SSL and it said it accepted TLS 1.0 to 1.2 but it must be something in the Agent code that limits it to TLS 1.0.

Not sure if this should be a Bug or Feature request but just wanted to make the team aware of the issue.

Thanks!

ITSourcePro

 

Share this post


Link to post
Share on other sites

Hi there,

Pulseway runs on .NET Framework 4.0 which only supports SSL 3.0 and TLS 1.0. We've disabled SSL 3.0 as it's insecure so there is only TLS 1.0 available now. There is a registry hack that enables Pulseway to use TLS 1.1 and TLS 1.2 on systems where there's .NET Framework 4.5 (or higher) installed and can be enabled by running the "Enable TLS 1.2 in .NET Framework 4.0" built-in automation script and restarting the Pulseway service.

We are planning on setting up a .NET Framework 4.5 release channel and automatically switch agents to that update channel if we can detect .NET Framework 4.5 (or higher) thus adding support for TLS 1.1 and TLS 1.2 out of the box. This change is scheduled to happen by the end of this year.

-Paul

Share this post


Link to post
Share on other sites
On 28.4.2017 at 10:38 AM, Paul said:

Hi there,

Pulseway runs on .NET Framework 4.0 which only supports SSL 3.0 and TLS 1.0. We've disabled SSL 3.0 as it's insecure so there is only TLS 1.0 available now. There is a registry hack that enables Pulseway to use TLS 1.1 and TLS 1.2 on systems where there's .NET Framework 4.5 (or higher) installed and can be enabled by running the "Enable TLS 1.2 in .NET Framework 4.0" built-in automation script and restarting the Pulseway service.

We are planning on setting up a .NET Framework 4.5 release channel and automatically switch agents to that update channel if we can detect .NET Framework 4.5 (or higher) thus adding support for TLS 1.1 and TLS 1.2 out of the box. This change is scheduled to happen by the end of this year.

-Paul

Hi Paul,

good to hear that there is a "quick and dirty" fix for this issue.

But somehow i don't understand how to do this "running the "Enable TLS 1.2 in .NET Framework 4.0" built-in automation script".

Could you please let me know how i could enable this registry hack on an pc running client 5.1.2.

Thank you very much in advance.

sascha

Share this post


Link to post
Share on other sites

Hi Sacha,

Under the WebApp -> Automation -> Tasks you will find a task called "Enable TLS 1.2 in .NET Framework 4.0". You can edit the system scope on which the automation task will run to only target the systems you need to. Alternatively you can run the "Enable TLS 1.2 in .NET Framework 4.0" built-in script individually on a system by going to the "Scripts" section of the system details from the WebApp or mobile apps under the Built-in categories.

-Paul

Share this post


Link to post
Share on other sites

Suggestion: make settings more secure by default, then those who need legacy support can downgrade as required; i.e., the PW back-end default to the Mozilla Security/Server Side TLS Intermediate compatibility  and the PW agents default Mozilla Security/Server Side TLS Modern compatibility ; then those who need legacy support can downgrade security using similar method to guidance above if required. (This can also be made into a selectable item in the agent installer/config if desired; e.g., "HTTPS encryption strength" "standard security" and "legacy support")

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By Martin_T
      Hi guys,
      One thing which I think would be super useful is the automatic selection of hard drives within the machine so rather than having to select a drive then set thresholds, we can skip the additional step of having to select the drives. Don't want to monitor a drive? Don't select a threshold. 
      Cheers,
    • By Digital
      I am trying to a WR to one of my client pc's. I have purchased the licence from within the pulseway web app. 
      Where do I find the licence key / number ?
       
      I all ready have one client installed so their is no option to select trial again......
      Also their is no "Trial Site"  in the WR console to correspond to my in app WR purchase?
       
       
    • By itshero
      I am attempting to simply change the name of a client workstation form "Steve Doe" to "Brandon Doe" and it has so far been unsuccessful.  I have tried from the client side, and from the dashboard manager.  So far all attempts have not worked.  When I attempt to do it from the client side, the client goes offline, and comes back up ~ 3 minutes later (it doesn't actually turn off, pulseway just detects it as offline).  Doing it locally freezes application and forces it to be stuck at "Loading Scheduled Tasks...".  I have ran into this before.  I fear uninstalling will prevent a re installation.  The only thing that solved it in the past was a reinstall of windows.
      Any help appreciated. 
    • By RossT76
      Could we add an alias to be displayed along side the device name in the systems view?
      Or maybe display the last logged in user. Just so it's easier to find a user machine without having to remember/find the device name.
    • By acoven
      It would massively expand Pulseway's capabilities if Netflow/sflow analysis was added to its feature set.
×