For the web services, this can be done through WHM: Home »Service Configuration »cPanel Web Services Configuration, under the "TLS/SSL Protocols" field by adding !TLSv1 to the list.
The following response from one of our analysts is also helpful:For Dovecot you can add !TLSv1 through WHM: Home »Service Configuration »Mailserver Configuration under the "SSL Protocols" field. I've tested this and it disabled TLSv1.0 for me, while leaving 1.1/1.2 enabled.
To my understanding, the reason TLS 1.0 is no longer considered secure by PCI is due to a policy regarding CVE scores. Use of RC4 recently had CVE scores increased to be at the same level as the BEAST vulnerability which affects all other TLS 1.0 ciphers. I do not know the exact policy of PCI regarding this, but this issue was brought to my attention upon finding the following discussion:
From what I gather from the article to which you linked, it appears that TLSv1.0 support is only permitted when it can be demonstrated that every connecting client will be secure against attacks like BEAST, which have client-side mitigations in most (but not all) software.
I empathize with the customers of yours who continually call when their outdated devices and software stop working; perfectly serviceable programs should not stop working for no good reason; it should not be required to keep buying new devices and major software releases in order to continue to access services over the public Internet. However, the fact remains that such devices and software should be able to maintain acceptable security levels through active updates released by the vendors who provide such devices and software, even if no other features are updated on stable releases. Thus, I would recommend that, if you wish to maintain PCI compliance, you explain to customers who contact you what the problem is (all cryptographic ciphers supported by their outdated devices and software are no longer considered secure by the credit card vendors), who to contact about the problem (the developer of the software/platform or the wireless carrier though which the device was obtained), and what to request (that they provide support for TLS 1.1 and/or 1.2 for the device or software). Security is a process, and this means that an unchanging software base cannot remain secure without updates to keep it secure.
The alternative seems to be to forgo the approval of the PCI DSS. You can also explain the consequences of this to those who contact you.
Apologies that there is not more which we can do for you. I hope that you can negotiate a grace period with your compliance vendor. If you have any further questions or concerns, please feel free to contact us again.
Your server supports TLSv1.1 and TLSv1.2? If so, make sure there are some ciphers left on your list that work.There's another post about this but figured I'd start a specific one for this situation. Security metrics and other PCI ASV's are now considering RC4-SHA a failing cipher over TLS 1.0.
What's the best way to go about removing RC4-SHA and not breaking ssl?
Can you provide your cipher and protocol lists?I passed PCI today, on 3 different domains, my solution in this case was an edited cipher list as well, i added port 465 to DROP any incoming connection, I also have Mailserver and FTP server disabled. mail for those domains runs off our other server.
|Thread starter||Similar threads||Forum||Replies||Date|
|T||Need to temporarily enable TLSv1||Security||10|
|M||SOLVED mod_userdir needs to be disabled if running PHP-FPM?||Security||2|
|F||How disable "Software Security Notice - Script installs need upgrading" notifications?||Security||2|
|J||SOLVED SNI email - Need to disable it or make it work||Security||2|
|J||Need to disable||Security||1|