What's new

Disabling TLS 1.0

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Manorexia

Occasional Visitor
an nmap scan shows that my RT-AC88U router still has TLS 1.0 enabled (which is an automatic fail for PCI compliance). Is there any way to disable it permanently, allowing for only 1.1 or 1.2+ connections?
 
Why on earth would you be using a home router in a business that requires PCI compliance?:eek:

lol this.

how did a IT manager or Security Manager even allow this?
 
Why on earth would you be using a home router in a business that requires PCI compliance?:eek:

It's an extremely small company, and apparently, PCI compliance is a requirement for any business that accepts credit cards... which is EVERY business. IE: if you're a graphic designer that works from home... you probably don't have the cash to throw down for Cisco products, nor the know-how to set it up.


With that said, this is the router we have, and, for the record, this single issue is the ONLY thing that could fail us, so the soho router we have seems to be doing just fine. So... can anyone actually help?
 
It's an extremely small company, and apparently, PCI compliance is a requirement for any business that accepts credit cards... which is EVERY business. IE: if you're a graphic designer that works from home... you probably don't have the cash to throw down for Cisco products, nor the know-how to set it up.
I see. Well it depends on where and how the credit card processing takes place. The kind of business you describe doesn't always run its own in-house payment processing systems and PoS terminals. Invoicing is often done by a third party service like Square (just an example). So all the PCI compliance falls on that company. Even if you handle physical card payments (like a restaurant) a company like Square can provide card readers with end to end encryption, so again the compliance issue is at their end of the link. -- Just something that might be worth investigating.
 
I fixed it... and I find it funny that the two people on their high horses took the time to be in complete shock that a "home" router is used in a small business apparently didn't know how to fix it. Maybe sit it out next time?
 
I see. Well it depends on where and how the credit card processing takes place. The kind of business you describe doesn't always run its own in-house payment processing systems and PoS terminals. Invoicing is often done by a third party service like Square (just an example). So all the PCI compliance falls on that company. Even if you handle physical card payments (like a restaurant) a company like Square can provide card readers with end to end encryption, so again the compliance issue is at their end of the link. -- Just something that might be worth investigating.
That's apparently not true. We had assumed the same thing... the provider would need to be compliant, not us... but since we use a computer to process the payments through a website, we're subject to the PCI compliance as well. I had assumed that, as long as the web browser met all of the specifications, we'd be fine. It seemed suspect to me, and the PCI compliance website certainly makes it sound like the ownership would fall to our provider... but... nope.

edit: for the record, we use authorize.net...
 
I fixed it... and I find it funny that the two people on their high horses took the time to be in complete shock that a "home" router is used in a small business apparently didn't know how to fix it. Maybe sit it out next time?

lol asking why a home router is being used in a environment that requires PCI compliance which usually is an enterprise requirement is being on a high horse?

And then assume neither us know how to fix it.

ok boss!
 
I fixed it... and I find it funny that the two people on their high horses took the time to be in complete shock that a "home" router is used in a small business apparently didn't know how to fix it. Maybe sit it out next time?

And how was this fixed? Please share. :)
 
No need to be cheeky about it folks...

I just ran my own nmap scan on my router and I don't see tls 1.0 being active.

I thought myself or themiron did disable it when we tightened SSL support in httpd, but I'd have to double check to be sure actually. I only remember for sure having disabled SSLv2 and v3 a few years ago, and removed weak ciphers, but I can't remember about TLS 1.0.
 
lol asking why a home router is being used in a environment that requires PCI compliance which usually is an enterprise requirement is being on a high horse?

And then assume neither us know how to fix it.

ok boss!

Well... since you STILL haven't provided a solution, it's a fair assumption... and again... PCI compliance is apparently NOT solely an enterprise requirement.
 
Well... since you STILL haven't provided a solution, it's a fair assumption... and again... PCI compliance is apparently NOT solely an enterprise requirement.

Good luck.
 
And how was this fixed? Please share. :)

tls-version-min 1.1 fixed the issue initially, and then I later noticed that the firmware was older (384.13), so I updated that as well. I still have the line in my custom config, so I'm not sure if the firmware alone would have fixed it. Certainly, it helped with DDNS (I believe 384.13 had an outdated version of ACME) certificate renewal.
 
tls-version-min where exactly? There is no configuration file for the router's management web server, so I'm not sure where you added that.
 
AFAIK tls-version-min 1.1 is an OpenVPN parameter. So maybe he was talking about testing the OpenVPN server from the internet, whereas I think we were assuming he was talking about the router's web server from inside the LAN.
 
AFAIK tls-version-min 1.1 is an OpenVPN parameter. So maybe he was talking about testing the OpenVPN server from the internet, whereas I think we were assuming he was talking about the router's web server from inside the LAN.

Lol...
Finally mystery solved...
 
tls-version-min where exactly? There is no configuration file for the router's management web server, so I'm not sure where you added that.

Just to make sure, tonight, I'll remove the line from the custom config and see if TLS remains disabled and let you know.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top