Guide: Removing TLSv1 for PCI ecommerce compliance

Discussion in 'Installation/Configuration' started by fbarcenas, Aug 28, 2018.

Tags:
  1. fbarcenas

    fbarcenas Member

    TLSv1 has been phased out. Continuing to use it won't break your padlock just yet, however if you run an eCommerce site, PCI requirements state that TLSv1 must be disabled by June 30, 2018. If you've been procrastinating as I have. Here is an easy guide to get it done.
    Code:
    nano /usr/local/ispconfig/server/conf/nginx_vhost.conf.master
    Find the line about 9 lines down that reads:
    Code:
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    and change it to:
    Code:
    ssl_protocols TLSv1.1 TLSv1.2;
    Open your ISPCONFIG panel. Go to Tools. Click Resync. Click Websites. Click Start.
    Optional: Go to your fridge. Open a beer. Drink to the death of TLSv1. RIP TLSv1.
    Have a nice day!
    Ref: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls
     
    Last edited: Aug 28, 2018
    Taleman likes this.
  2. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    This will work until the next ispconfig-update. ;)
    copy conf/nginx_vhost.conf.master to conf-custom/nginx_vhost.conf.master and change the file in conf-custom.
     
    fbarcenas likes this.
  3. fbarcenas

    fbarcenas Member

    Good catch, I forgot about that.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I'm not absolutely sure if that's enough, did you test the site? If I remember correctly, then nginx is enabling the lowest TLS version that is found in any vhost for all vhosts. So it might be that you have to remove TLSv1 from ispconfig.vhost file as well (plus copying the install/tpl/nginx_ispconfig.vhost.master file to conf-custom/install/ to make it update safe). But I might remember this wrongly, so if you tested it and the test shows that TLSv1 is off after your change, then forget my post :)
     
  5. ahrasis

    ahrasis Well-Known Member

    No it doesn't, at least in my nginx server. It depends on each vhost. I'm already using tls1.3 via openssl 1.1.1pre8 for ISPConfig panel and so far it is working good.
     
    till likes this.
  6. fbarcenas

    fbarcenas Member

    YEah it did for me since I didn't have any custom config to override the change. I tested it with https://www.whynopadlock.com
     
    till likes this.

Share This Page