Jump to content
ITSourcePro

Support for TLS 1.2 on Agent for PCI 3.2 Compliance

Recommended Posts

Per PCI 3.2, TLS 1.0 will soon be required to be disabled. We tested this out on a few of our servers with Pulseway and after doing so the Pulseway Agent on the server stop reporting into the Pulseway Console. When trying to verify the account on the Pulseway Manager 5.1 we got the following error:

An error occurred while receiving the HTTP response to https://ws15.pulseway.com/Server.svc. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to theservice shutting down). See server logs for more details.

The only way to fix it was to re-enable the TLS 1.0 Client Protocol here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client

I checked Pulseway's SSL Cert on Qualys SSL and it said it accepted TLS 1.0 to 1.2 but it must be something in the Agent code that limits it to TLS 1.0.

Not sure if this should be a Bug or Feature request but just wanted to make the team aware of the issue.

Thanks!

ITSourcePro

 

Share this post


Link to post
Share on other sites

Hi there,

Pulseway runs on .NET Framework 4.0 which only supports SSL 3.0 and TLS 1.0. We've disabled SSL 3.0 as it's insecure so there is only TLS 1.0 available now. There is a registry hack that enables Pulseway to use TLS 1.1 and TLS 1.2 on systems where there's .NET Framework 4.5 (or higher) installed and can be enabled by running the "Enable TLS 1.2 in .NET Framework 4.0" built-in automation script and restarting the Pulseway service.

We are planning on setting up a .NET Framework 4.5 release channel and automatically switch agents to that update channel if we can detect .NET Framework 4.5 (or higher) thus adding support for TLS 1.1 and TLS 1.2 out of the box. This change is scheduled to happen by the end of this year.

-Paul

Share this post


Link to post
Share on other sites
On 28.4.2017 at 10:38 AM, Paul said:

Hi there,

Pulseway runs on .NET Framework 4.0 which only supports SSL 3.0 and TLS 1.0. We've disabled SSL 3.0 as it's insecure so there is only TLS 1.0 available now. There is a registry hack that enables Pulseway to use TLS 1.1 and TLS 1.2 on systems where there's .NET Framework 4.5 (or higher) installed and can be enabled by running the "Enable TLS 1.2 in .NET Framework 4.0" built-in automation script and restarting the Pulseway service.

We are planning on setting up a .NET Framework 4.5 release channel and automatically switch agents to that update channel if we can detect .NET Framework 4.5 (or higher) thus adding support for TLS 1.1 and TLS 1.2 out of the box. This change is scheduled to happen by the end of this year.

-Paul

Hi Paul,

good to hear that there is a "quick and dirty" fix for this issue.

But somehow i don't understand how to do this "running the "Enable TLS 1.2 in .NET Framework 4.0" built-in automation script".

Could you please let me know how i could enable this registry hack on an pc running client 5.1.2.

Thank you very much in advance.

sascha

Share this post


Link to post
Share on other sites

Hi Sacha,

Under the WebApp -> Automation -> Tasks you will find a task called "Enable TLS 1.2 in .NET Framework 4.0". You can edit the system scope on which the automation task will run to only target the systems you need to. Alternatively you can run the "Enable TLS 1.2 in .NET Framework 4.0" built-in script individually on a system by going to the "Scripts" section of the system details from the WebApp or mobile apps under the Built-in categories.

-Paul

Share this post


Link to post
Share on other sites

Suggestion: make settings more secure by default, then those who need legacy support can downgrade as required; i.e., the PW back-end default to the Mozilla Security/Server Side TLS Intermediate compatibility  and the PW agents default Mozilla Security/Server Side TLS Modern compatibility ; then those who need legacy support can downgrade security using similar method to guidance above if required. (This can also be made into a selectable item in the agent installer/config if desired; e.g., "HTTPS encryption strength" "standard security" and "legacy support")

Share this post


Link to post
Share on other sites

Hi @ltintnteam,

Yes, there has been changes regarding this. Once you install the Pulseway agent 6.0 the required registry key is created automatically and the Pulseway agent is supporting the TLS 1.2 by default.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By Basil62
      I want a program to always run on my computer. Is there a script that forces a program to restart after its process has been stopped?
      Thanks in advance
    • By dpbklyn
      Is there a way to exclude a particular disk (e:\) from the storage notifications?
    • By dpbklyn
      Hello,
      I am trying to automate our on-boarding process as much as possible.
      Is there a way to upload software to Pulseway (an A/V Application in this case) so we can trigger a script to install it on endpoints during on boarding?
      Thank you,
      dp
    • By AlanRTonn
      It would be nice if there was a view similar to the Time Sheet, Time Entries list but that showed the start and end time of each entry and only showed the time entries for the tickets that had entries for the week. Autotask had this and it was a great way to help remind me of what I did in the "gaps" between ticket time entries. Having all open tickets in my queue just clutters the current view. Maybe have a button on that view that toggles between all the open tickets and no time entries showing and having only time entries showing with start and end times. It looks like this:

×