Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » PCI-DSS Apple Mail TLS 1.0 (Apple mail only using TLS 1)
  •  
BobSpadger

Messages: 6
Karma: 0
Send a private message to this user
Hi All

I'm asking here as it seems to be a new problem.

Due to PCI-DSS requiring that TLS1.0 be disabled I followed Kerio's instructions and set
<variable name="DisableTLSv1">1</variable>



This had the desired effect of stopping TLS1.0 being offered. Great

Except that Apple Mail and iOS mail all stopped working and I could not get them to decide to use TLS 1.1 or greater.

We now seem to be stuck in an impossible situation. I've found others with this same issue, however, I've not posted more than 5 messages so can't post it!


Does anyone have any clever ideas or have you experience this ?
  •  
Lukas Petrlik (Kerio)

Messages: 109
Karma: 7
Send a private message to this user
I definitely do not recommend that you disable the TLSv1 protocol. Instead, I would recommend one of the following:
1. Upgrade to version 8.5 whose default settings should suffice to pass PCI DSS validation.
2. If the upgrade is not an option, I recommend that you make the adjustments according to the following KB article: http://kb.kerio.com/product/kerio-connect/server-configurati on/security/pci-dss-compliance-1301.html
  •  
BobSpadger

Messages: 6
Karma: 0
Send a private message to this user
Hi

Thanks for the reply.

I'm running 8.4.3, which doesn't factor in the help file. Is this because the help file is out of date, or because 8.4.3 had other functions / features ?

Cheers

Thanks,
  •  
Lukas Petrlik (Kerio)

Messages: 109
Karma: 7
Send a private message to this user
Please could you be more specific? (E.g. what are you missing in the docs etc.)
  •  
BobSpadger

Messages: 6
Karma: 0
Send a private message to this user
Hi

Example is
Vulnerability to the SSL BEAST attack
Solution: In Kerio Connect 8.0.1 to 8.4.2


I'm on 8.4.3, should I do this?

Thanks





  •  
Lukas Petrlik (Kerio)

Messages: 109
Karma: 7
Send a private message to this user
No, the problem is fixed in 8.4.3.
  •  
BobSpadger

Messages: 6
Karma: 0
Send a private message to this user
cool, thanks.

So, we are back to the same issue, I'm on 8.4.3 and Trustwave are notifying me that I need to disable TLSv1 due the security vulnerabilities in it.

This service supports the use of the TLSv1.0 protocol. The TLSv1.0 protocol has known cryptographic weaknesses that can lead to the compromise of sensitive data within an encrypted session. Additionally, the PCI SSC and NIST have determined that the TLSv1.0 protocol no longer meets the definition of strong cryptography.

The server should be configured to disable the use of the TLSv1.0 protocol in favor of cryptographically stronger protocols such as TLSv1.1 and TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the TLSv1.0 protocol on this service is sufficient to address this finding. Organizations that are seeking to remain PCI compliant while continuing to use TLSv1.0 enabled services before June 30th, 2016 will need to dispute this finding and demonstrate that they have formal risk mitigation and migration plan.


I seem to be stuck between a rock and a hard place !?

Smile



  •  
Lukas Petrlik (Kerio)

Messages: 109
Karma: 7
Send a private message to this user
There is also a problem that some smtp servers won't be able to deliver mail to your server if you disable TLSv1, see this thread:
http://forums.kerio.com/mv/msg/29304/121701/#msg_121701
  •  
BobSpadger

Messages: 6
Karma: 0
Send a private message to this user
Ok

So, is there a 'best practice' or some form of advice of how to get a mail server to pass a PCI-DSS scan.


Should it be on a VLAN all of its own ? but then I would still have to provide the IP address of the Firewall its behind to get it scanned. It would then fail as its using TLSv1 ?

  •  
Brian Carmichael (Kerio)

Messages: 617
Karma: 61
Send a private message to this user
The best practice is to use the most current version of the software. In this case, Kerio Connect 8.5. We've made several improvements specifically to our SSL/TLS support. This includes disabling weak ciphers and implementing forward secrecy.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
Previous Topic: php code: who has what mobile device and which EAS version
Next Topic: How to convert MDAEMON to KERIO CONNECT
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Mar 24 07:11:42 CET 2017

Total time taken to generate the page: 0.01534 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.