Disable TLS 1.0/1.1 - Failing Audits

[alrnetwork]

Hi there,

I've just had an audit run against my servers for PCI compliance and it failed, leaving me with a very short amount of time to rectify the problem.

It seems the vast majority of failures are related to TLS 1.0/1.1

Would someone kindly direct me to where I need to go to fix this and are there any risks to changing these settings? I don't care for people using old operating systems such as Windows 7, but things should work properly and not disrupt existing hosted applications etc.

Any ideas?

 

[warg]

I'm interesting in this as well as I would do this as a next step as well!

 

[wila]

Custombuild -> Edit Options -> SSL configuration
I think "intermediate" would be OK.
Test with https://ssllabs.com

There's also this:

Customizing Apache | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

 

[ikkeben]

It seems the vast majority of failures are related to TLS 1.0/1.1

And the other things?
That is important information for DA user her on forum to. ?

The setting on intermediate in the config should then solves this part

 

[alrnetwork]

Hi there.. I'm already set to "intermediate"! So I dug around and it seems that actually Cloudflare were the issue. For anyone else who happens to encounter this and use Cloudflare, you can find the info here: https://support.cloudflare.com/hc/en-us/articles/205043158-PCI-3-1-and-TLS-1-2

 

[alrnetwork]

And the other things?
That is important information for DA user her on forum to. ?

The setting on intermediate in the config should then solves this part

The other vulnerability was:

4. Web Application Potentially Vulnerable to Clickjacking​

This vulnerability often appears on websites as well as simple login pages found on the network side. With clickjacking, a hacker or malicious individual loads a webpage or a button/link from a webpage into an I-Frame. A visitor may then unknowingly click on a malicious link and be sent to a completely different site–typically a duplicate page made to look like the valid webpage. I-Frames need to be restricted by implementing a security header.

Resolution: Regardless of where Clickjacking is vulnerable, the same fix applies. Pages that are vulnerable to Clickjacking are required to implement either X-Frame-Options or Content-Security-Policy security headers that prevent I-Frames from loading affected web pages.

 

[ikkeben]

The other vulnerability was:

Content-Security-Policy security headers​

Yup those are also in the webapps you have to set and config those as roundcube , and maybe even DA pages parts.
And ofourse the websites and used CMS whatever.