1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Disabling TLS 1.0

Discussion in 'Asuswrt-Merlin' started by Manorexia, Feb 26, 2020.

  1. Manorexia

    Manorexia Occasional Visitor

    Joined:
    Apr 26, 2019
    Messages:
    18
    an nmap scan shows that my RT-AC88U router still has TLS 1.0 enabled (which is an automatic fail for PCI compliance). Is there any way to disable it permanently, allowing for only 1.1 or 1.2+ connections?
     
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,915
    Location:
    UK
    Why on earth would you be using a home router in a business that requires PCI compliance?:eek:
     
    Makaveli likes this.
  3. Makaveli

    Makaveli Very Senior Member

    Joined:
    Nov 4, 2016
    Messages:
    676
    Location:
    Canada
    lol this.

    how did a IT manager or Security Manager even allow this?
     
  4. Manorexia

    Manorexia Occasional Visitor

    Joined:
    Apr 26, 2019
    Messages:
    18
    It's an extremely small company, and apparently, PCI compliance is a requirement for any business that accepts credit cards... which is EVERY business. IE: if you're a graphic designer that works from home... you probably don't have the cash to throw down for Cisco products, nor the know-how to set it up.


    With that said, this is the router we have, and, for the record, this single issue is the ONLY thing that could fail us, so the soho router we have seems to be doing just fine. So... can anyone actually help?
     
    adampk17 likes this.
  5. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,915
    Location:
    UK
    I see. Well it depends on where and how the credit card processing takes place. The kind of business you describe doesn't always run its own in-house payment processing systems and PoS terminals. Invoicing is often done by a third party service like Square (just an example). So all the PCI compliance falls on that company. Even if you handle physical card payments (like a restaurant) a company like Square can provide card readers with end to end encryption, so again the compliance issue is at their end of the link. -- Just something that might be worth investigating.
     
  6. Manorexia

    Manorexia Occasional Visitor

    Joined:
    Apr 26, 2019
    Messages:
    18
    I fixed it... and I find it funny that the two people on their high horses took the time to be in complete shock that a "home" router is used in a small business apparently didn't know how to fix it. Maybe sit it out next time?
     
    adampk17 likes this.
  7. Manorexia

    Manorexia Occasional Visitor

    Joined:
    Apr 26, 2019
    Messages:
    18
    That's apparently not true. We had assumed the same thing... the provider would need to be compliant, not us... but since we use a computer to process the payments through a website, we're subject to the PCI compliance as well. I had assumed that, as long as the web browser met all of the specifications, we'd be fine. It seemed suspect to me, and the PCI compliance website certainly makes it sound like the ownership would fall to our provider... but... nope.

    edit: for the record, we use authorize.net...
     
  8. Makaveli

    Makaveli Very Senior Member

    Joined:
    Nov 4, 2016
    Messages:
    676
    Location:
    Canada
    lol asking why a home router is being used in a environment that requires PCI compliance which usually is an enterprise requirement is being on a high horse?

    And then assume neither us know how to fix it.

    ok boss!
     
  9. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    11,375
    And how was this fixed? Please share. :)
     
    Makaveli likes this.
  10. Makaveli

    Makaveli Very Senior Member

    Joined:
    Nov 4, 2016
    Messages:
    676
    Location:
    Canada
    I just ran my own nmap scan on my router and I don't see tls 1.0 being active.
     
    SomeWhereOverTheRainBow and L&LD like this.
  11. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,384
    Location:
    Canada
    No need to be cheeky about it folks...

    I thought myself or themiron did disable it when we tightened SSL support in httpd, but I'd have to double check to be sure actually. I only remember for sure having disabled SSLv2 and v3 a few years ago, and removed weak ciphers, but I can't remember about TLS 1.0.
     
  12. Manorexia

    Manorexia Occasional Visitor

    Joined:
    Apr 26, 2019
    Messages:
    18
    Well... since you STILL haven't provided a solution, it's a fair assumption... and again... PCI compliance is apparently NOT solely an enterprise requirement.
     
  13. Makaveli

    Makaveli Very Senior Member

    Joined:
    Nov 4, 2016
    Messages:
    676
    Location:
    Canada
    Good luck.
     
  14. Manorexia

    Manorexia Occasional Visitor

    Joined:
    Apr 26, 2019
    Messages:
    18
    tls-version-min 1.1 fixed the issue initially, and then I later noticed that the firmware was older (384.13), so I updated that as well. I still have the line in my custom config, so I'm not sure if the firmware alone would have fixed it. Certainly, it helped with DDNS (I believe 384.13 had an outdated version of ACME) certificate renewal.
     
    L&LD likes this.
  15. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,384
    Location:
    Canada
    tls-version-min where exactly? There is no configuration file for the router's management web server, so I'm not sure where you added that.
     
  16. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,915
    Location:
    UK
    AFAIK tls-version-min 1.1 is an OpenVPN parameter. So maybe he was talking about testing the OpenVPN server from the internet, whereas I think we were assuming he was talking about the router's web server from inside the LAN.
     
    Makaveli likes this.
  17. Manorexia

    Manorexia Occasional Visitor

    Joined:
    Apr 26, 2019
    Messages:
    18
    I placed it in the OpenVPN custom configuration.
     
  18. Manorexia

    Manorexia Occasional Visitor

    Joined:
    Apr 26, 2019
    Messages:
    18
    Yep. This.
     
  19. DonnyJohnny

    DonnyJohnny Very Senior Member

    Joined:
    Dec 17, 2017
    Messages:
    756
    Lol...
    Finally mystery solved...
     
    Makaveli likes this.
  20. Manorexia

    Manorexia Occasional Visitor

    Joined:
    Apr 26, 2019
    Messages:
    18
    Just to make sure, tonight, I'll remove the line from the custom config and see if TLS remains disabled and let you know.
     
    L&LD likes this.