Jump to content

Support for TLS 1.2 on Agent for PCI 3.2 Compliance


ITSourcePro
 Share

Recommended Posts

Per PCI 3.2, TLS 1.0 will soon be required to be disabled. We tested this out on a few of our servers with Pulseway and after doing so the Pulseway Agent on the server stop reporting into the Pulseway Console. When trying to verify the account on the Pulseway Manager 5.1 we got the following error:

An error occurred while receiving the HTTP response to https://ws15.pulseway.com/Server.svc. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to theservice shutting down). See server logs for more details.

The only way to fix it was to re-enable the TLS 1.0 Client Protocol here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client

I checked Pulseway's SSL Cert on Qualys SSL and it said it accepted TLS 1.0 to 1.2 but it must be something in the Agent code that limits it to TLS 1.0.

Not sure if this should be a Bug or Feature request but just wanted to make the team aware of the issue.

Thanks!

ITSourcePro

 

Link to comment
Share on other sites

  • Administrators

Hi there,

Pulseway runs on .NET Framework 4.0 which only supports SSL 3.0 and TLS 1.0. We've disabled SSL 3.0 as it's insecure so there is only TLS 1.0 available now. There is a registry hack that enables Pulseway to use TLS 1.1 and TLS 1.2 on systems where there's .NET Framework 4.5 (or higher) installed and can be enabled by running the "Enable TLS 1.2 in .NET Framework 4.0" built-in automation script and restarting the Pulseway service.

We are planning on setting up a .NET Framework 4.5 release channel and automatically switch agents to that update channel if we can detect .NET Framework 4.5 (or higher) thus adding support for TLS 1.1 and TLS 1.2 out of the box. This change is scheduled to happen by the end of this year.

-Paul

Link to comment
Share on other sites

  • 2 months later...
On 28.4.2017 at 10:38 AM, Paul said:

Hi there,

Pulseway runs on .NET Framework 4.0 which only supports SSL 3.0 and TLS 1.0. We've disabled SSL 3.0 as it's insecure so there is only TLS 1.0 available now. There is a registry hack that enables Pulseway to use TLS 1.1 and TLS 1.2 on systems where there's .NET Framework 4.5 (or higher) installed and can be enabled by running the "Enable TLS 1.2 in .NET Framework 4.0" built-in automation script and restarting the Pulseway service.

We are planning on setting up a .NET Framework 4.5 release channel and automatically switch agents to that update channel if we can detect .NET Framework 4.5 (or higher) thus adding support for TLS 1.1 and TLS 1.2 out of the box. This change is scheduled to happen by the end of this year.

-Paul

Hi Paul,

good to hear that there is a "quick and dirty" fix for this issue.

But somehow i don't understand how to do this "running the "Enable TLS 1.2 in .NET Framework 4.0" built-in automation script".

Could you please let me know how i could enable this registry hack on an pc running client 5.1.2.

Thank you very much in advance.

sascha

Link to comment
Share on other sites

  • Administrators

Hi Sacha,

Under the WebApp -> Automation -> Tasks you will find a task called "Enable TLS 1.2 in .NET Framework 4.0". You can edit the system scope on which the automation task will run to only target the systems you need to. Alternatively you can run the "Enable TLS 1.2 in .NET Framework 4.0" built-in script individually on a system by going to the "Scripts" section of the system details from the WebApp or mobile apps under the Built-in categories.

-Paul

Link to comment
Share on other sites

  • 3 months later...

Suggestion: make settings more secure by default, then those who need legacy support can downgrade as required; i.e., the PW back-end default to the Mozilla Security/Server Side TLS Intermediate compatibility  and the PW agents default Mozilla Security/Server Side TLS Modern compatibility ; then those who need legacy support can downgrade security using similar method to guidance above if required. (This can also be made into a selectable item in the agent installer/config if desired; e.g., "HTTPS encryption strength" "standard security" and "legacy support")

Link to comment
Share on other sites

  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...