Menu
As per PCI, we need to stop using SSL and TLS(1.0 and 1.1 in certain implementation) from June 30th 2016 as per http://blog.securitymetrics.com/2015/04/pci-3-1-ssl-and-tls.html
We have an client application build on .Net 3.5 which uses HttpWebRequest object to connect to web services.
As per MSDN SecurityProtocolType(https://msdn.microsoft.com/en-us/library/system.net.securityprotocoltype(v=vs.110).aspx) supports only Ssl3 and Tls(1.0) on .Net Framework 4 or below. Tls11 and Tls12 are only supported in .Net Framework 4.5/4.6
Does that mean to be inside Cardholder data environment and fully pci compliant, we need to upgrade all applications to .Net 4.5/4.6 and allow only Tls12 SecurityProtocolType to connect to external web services using HttpWebRequest?
558
NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2. The . NET framework version 3.5 SP1 and earlier versions did not provide support for applications to use Transport Layer Security (TLS) System Default Versions as a cryptographic protocol. This update enables the use of TLS v1.
The TLS protocol is used to encrypt communications you submit and receive from eRA systems so that the data is secure and inaccessible by third parties. eRA decommissioned its support of TLS 1.0 last year and is currently working through preparations to decommission TLS 1.1.
Open 'Run', type 'regedit' and click 'OK'. In Registry Editor, navigate to the path : Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols. Create a new key by Right click on 'Protocols' –> New –> Key. Rename the registry key as 'TLS 1.0'.
Actually, you can use TLS 1.2 in Frameworks lower than 4.5 (at least I managed it in .NET Framework 4 client). Instead of using the classic command in order to set the Protocol as Tls12, you can bypass it by using the id for this protocol.
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
Any communication channel that currently uses SSL/early TLS or that is willing to accept them on negotiation and that is part of the cardholder data environment as a security control needs to be changed such that it will only use TLS 1.1 (with an approved cipher suite) or above.
You need to recompile under .Net 4.5 or greater (TLS 1.2 is not enabled by default so code changes are needed) or use a 3rd party library that supports the required protocols.
Note that if you know your system is using SSL/early TLS you must created a risk mitigation plan/document.
2
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
