ITSourcePro Posted April 28, 2017 Share Posted April 28, 2017 Per PCI 3.2, TLS 1.0 will soon be required to be disabled. We tested this out on a few of our servers with Pulseway and after doing so the Pulseway Agent on the server stop reporting into the Pulseway Console. When trying to verify the account on the Pulseway Manager 5.1 we got the following error: An error occurred while receiving the HTTP response to https://ws15.pulseway.com/Server.svc. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to theservice shutting down). See server logs for more details. The only way to fix it was to re-enable the TLS 1.0 Client Protocol here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client I checked Pulseway's SSL Cert on Qualys SSL and it said it accepted TLS 1.0 to 1.2 but it must be something in the Agent code that limits it to TLS 1.0. Not sure if this should be a Bug or Feature request but just wanted to make the team aware of the issue. Thanks! ITSourcePro Link to comment Share on other sites More sharing options...
Administrators Paul Posted April 28, 2017 Administrators Share Posted April 28, 2017 Hi there, Pulseway runs on .NET Framework 4.0 which only supports SSL 3.0 and TLS 1.0. We've disabled SSL 3.0 as it's insecure so there is only TLS 1.0 available now. There is a registry hack that enables Pulseway to use TLS 1.1 and TLS 1.2 on systems where there's .NET Framework 4.5 (or higher) installed and can be enabled by running the "Enable TLS 1.2 in .NET Framework 4.0" built-in automation script and restarting the Pulseway service. We are planning on setting up a .NET Framework 4.5 release channel and automatically switch agents to that update channel if we can detect .NET Framework 4.5 (or higher) thus adding support for TLS 1.1 and TLS 1.2 out of the box. This change is scheduled to happen by the end of this year. -Paul alliedvoa 1 Link to comment Share on other sites More sharing options...
saschadd Posted July 16, 2017 Share Posted July 16, 2017 On 28.4.2017 at 10:38 AM, Paul said: Hi there, Pulseway runs on .NET Framework 4.0 which only supports SSL 3.0 and TLS 1.0. We've disabled SSL 3.0 as it's insecure so there is only TLS 1.0 available now. There is a registry hack that enables Pulseway to use TLS 1.1 and TLS 1.2 on systems where there's .NET Framework 4.5 (or higher) installed and can be enabled by running the "Enable TLS 1.2 in .NET Framework 4.0" built-in automation script and restarting the Pulseway service. We are planning on setting up a .NET Framework 4.5 release channel and automatically switch agents to that update channel if we can detect .NET Framework 4.5 (or higher) thus adding support for TLS 1.1 and TLS 1.2 out of the box. This change is scheduled to happen by the end of this year. -Paul Hi Paul, good to hear that there is a "quick and dirty" fix for this issue. But somehow i don't understand how to do this "running the "Enable TLS 1.2 in .NET Framework 4.0" built-in automation script". Could you please let me know how i could enable this registry hack on an pc running client 5.1.2. Thank you very much in advance. sascha Link to comment Share on other sites More sharing options...
Administrators Paul Posted July 17, 2017 Administrators Share Posted July 17, 2017 Hi Sacha, Under the WebApp -> Automation -> Tasks you will find a task called "Enable TLS 1.2 in .NET Framework 4.0". You can edit the system scope on which the automation task will run to only target the systems you need to. Alternatively you can run the "Enable TLS 1.2 in .NET Framework 4.0" built-in script individually on a system by going to the "Scripts" section of the system details from the WebApp or mobile apps under the Built-in categories. -Paul Link to comment Share on other sites More sharing options...
adigiuseppe Posted October 18, 2017 Share Posted October 18, 2017 Suggestion: make settings more secure by default, then those who need legacy support can downgrade as required; i.e., the PW back-end default to the Mozilla Security/Server Side TLS Intermediate compatibility and the PW agents default Mozilla Security/Server Side TLS Modern compatibility ; then those who need legacy support can downgrade security using similar method to guidance above if required. (This can also be made into a selectable item in the agent installer/config if desired; e.g., "HTTPS encryption strength" "standard security" and "legacy support") Link to comment Share on other sites More sharing options...
Staff Chris Posted October 19, 2017 Staff Share Posted October 19, 2017 Thank you for your suggestion. We will consider the possibility to introduce this option into the future. Link to comment Share on other sites More sharing options...
ltintnteam Posted November 5, 2018 Share Posted November 5, 2018 Hello, Has this changed as of the latest 6.0 update? Thanks Link to comment Share on other sites More sharing options...
Staff Chris Posted November 6, 2018 Staff Share Posted November 6, 2018 Hi @ltintnteam, Yes, there has been changes regarding this. Once you install the Pulseway agent 6.0 the required registry key is created automatically and the Pulseway agent is supporting the TLS 1.2 by default. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now