Well shit guys. The time is almost upon us where all companies that handle credit card transactions must disable what PCI-DSS calls "early TLS" and SSL. By now most of you should already have SSL 3.0 and below disabled to mitigate against attacks like POODLE and BEAST. By June 30th, 2018 though, you must now also disable TLS 1.0 too!
From PCI-DSS:
Is your organization still using the SSL/early TLS protocols? Do you work with online and e-commerce partners or customers who haven’t yet started the migration away from SSL/early TLS to a more secure encryption protocol? Read on for key questions and answers that can help with saying goodbye to SSL/early TLS and reducing the risk of being breached.
What happens on 30 June 2018?
30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.Awesome! Well, it really isn't that difficult to disable TLS 1.0 in IIS and Apache. I'll start with IIS first!
For IIS, download a tool I've written about in the past called IIS Crypto. Run the tool as an Administrator on your Windows IIS server, and under Protocols Enabled, uncheck everything except TLS 1.1 and TLS 1.2 then click Apply.
After you click Apply, reboot the server and you are good to go!
For Apache, at least in Ubuntu, all you have to do is modify your default-ssl.conf file located in /etc/apache2/sites-enabled/ using your favorite text editor, and find the section that says SSLEngine On and modify it to say:
SSLEngine onSave the config, then restart Apache:
SSLCipherSuite AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder On
sudo service apache2 restartBang! Done! Now you aren't serving anything without encrypting it with either TLS 1.1 or TLS 1.2!
Are you and your company prepared to make this change by June 30th? Let us know your story in the comments!