Jump to content
ITSourcePro

Support for TLS 1.2 on Agent for PCI 3.2 Compliance

Recommended Posts

Per PCI 3.2, TLS 1.0 will soon be required to be disabled. We tested this out on a few of our servers with Pulseway and after doing so the Pulseway Agent on the server stop reporting into the Pulseway Console. When trying to verify the account on the Pulseway Manager 5.1 we got the following error:

An error occurred while receiving the HTTP response to https://ws15.pulseway.com/Server.svc. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to theservice shutting down). See server logs for more details.

The only way to fix it was to re-enable the TLS 1.0 Client Protocol here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client

I checked Pulseway's SSL Cert on Qualys SSL and it said it accepted TLS 1.0 to 1.2 but it must be something in the Agent code that limits it to TLS 1.0.

Not sure if this should be a Bug or Feature request but just wanted to make the team aware of the issue.

Thanks!

ITSourcePro

 

Share this post


Link to post
Share on other sites

Hi there,

Pulseway runs on .NET Framework 4.0 which only supports SSL 3.0 and TLS 1.0. We've disabled SSL 3.0 as it's insecure so there is only TLS 1.0 available now. There is a registry hack that enables Pulseway to use TLS 1.1 and TLS 1.2 on systems where there's .NET Framework 4.5 (or higher) installed and can be enabled by running the "Enable TLS 1.2 in .NET Framework 4.0" built-in automation script and restarting the Pulseway service.

We are planning on setting up a .NET Framework 4.5 release channel and automatically switch agents to that update channel if we can detect .NET Framework 4.5 (or higher) thus adding support for TLS 1.1 and TLS 1.2 out of the box. This change is scheduled to happen by the end of this year.

-Paul

Share this post


Link to post
Share on other sites
On 28.4.2017 at 10:38 AM, Paul said:

Hi there,

Pulseway runs on .NET Framework 4.0 which only supports SSL 3.0 and TLS 1.0. We've disabled SSL 3.0 as it's insecure so there is only TLS 1.0 available now. There is a registry hack that enables Pulseway to use TLS 1.1 and TLS 1.2 on systems where there's .NET Framework 4.5 (or higher) installed and can be enabled by running the "Enable TLS 1.2 in .NET Framework 4.0" built-in automation script and restarting the Pulseway service.

We are planning on setting up a .NET Framework 4.5 release channel and automatically switch agents to that update channel if we can detect .NET Framework 4.5 (or higher) thus adding support for TLS 1.1 and TLS 1.2 out of the box. This change is scheduled to happen by the end of this year.

-Paul

Hi Paul,

good to hear that there is a "quick and dirty" fix for this issue.

But somehow i don't understand how to do this "running the "Enable TLS 1.2 in .NET Framework 4.0" built-in automation script".

Could you please let me know how i could enable this registry hack on an pc running client 5.1.2.

Thank you very much in advance.

sascha

Share this post


Link to post
Share on other sites

Hi Sacha,

Under the WebApp -> Automation -> Tasks you will find a task called "Enable TLS 1.2 in .NET Framework 4.0". You can edit the system scope on which the automation task will run to only target the systems you need to. Alternatively you can run the "Enable TLS 1.2 in .NET Framework 4.0" built-in script individually on a system by going to the "Scripts" section of the system details from the WebApp or mobile apps under the Built-in categories.

-Paul

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By JZarzosa
      We are considering switching over to the RepairShopr PSA platform, and would like to know if an integration with them may be in the works. I understand they use the REST API as well, and have solid documentation on their site for integrating into their platform. Can this be looked into? It is definitely becoming a popular solution, and companies like Ninja RMM and SolarWinds MSP are already integrated with them. 
      Here is their article on their API:
      http://feedback.repairshopr.com/knowledgebase/articles/376312
      Thank you!
    • By JZarzosa
      I would like to request integration with the Webroot SecureAnywhere AV product. 
    • By DigitalDentist
      Whenever there is a note added to the note section is there any way to know when looking through the systems? Maybe change the badge color whenever a note is present? Currently I have to just click on each note section to see if notes have been inputted. If I could tell just by glancing at the section that would be ideal.
    • By DigitalDentist
      This script will set the virtual machine to auto start whenever the host reboots, it will also update Hyper V integration services. Be sure and change your server names to match. Server0 is host and server1 is the Hyper V. Run on Host.
      Get-VM –VMname * | Set-VM –AutomaticStartAction Start
      Get-VM -Name SERVER1 –ComputerName server0   Set-VMDvdDrive -ComputerName server0 -VMName SERVER1 -Path 'C:\Windows\System32\vmguest.iso'   $DVDriveLetter = (Get-VMDvdDrive -ComputerName server0 -VMName SERVER1).Id | Split-Path –Leaf   Invoke-Command –ComputerName SERVER1 -ScriptBlock { if ($ENV:PROCESSOR_ARCHITECTURE -eq 'AMD64') { $folder = 'amd64' } else { $folder = 'x86'  } Start-Process -FilePath  "$($using:DVDriveLetter):\support\$folder\setup.exe" -Args '/quiet /norestart' -Wait  }   Restart-Computer –ComputerName SERVER1 -Wait -For WinRM -Force Set-VMDvdDrive -ComputerName server0 -VMName SERVER1 -ControllerNumber 1 -ControllerLocation 0 -Path $null
    • By DigitalDentist
      This script will update Hyper V integration services. Be sure and change your server names to match. Server0 is host and server1 is the Hyper V. Run on Host.
       
      Get-VM -Name SERVER1 –ComputerName server0   Set-VMDvdDrive -ComputerName server0 -VMName SERVER1 -Path 'C:\Windows\System32\vmguest.iso'   $DVDriveLetter = (Get-VMDvdDrive -ComputerName server0 -VMName SERVER1).Id | Split-Path –Leaf   Invoke-Command –ComputerName SERVER1 -ScriptBlock { if ($ENV:PROCESSOR_ARCHITECTURE -eq 'AMD64') { $folder = 'amd64' } else { $folder = 'x86'  } Start-Process -FilePath  "$($using:DVDriveLetter):\support\$folder\setup.exe" -Args '/quiet /norestart' -Wait  }   Restart-Computer –ComputerName SERVER1 -Wait -For WinRM -Force Set-VMDvdDrive -ComputerName server0 -VMName SERVER1 -ControllerNumber 1 -ControllerLocation 0 -Path $null
×