MX Version 15.0.6 introduced enhanced TLS Security functionality, out of box disabling TLS 1.0.
- If your system was upgraded from an existing system then TLS 1.0 is left enabled
- If your system is a clean install of 15.0.6 then TLS 1.0 is disabled
To meet PCI Compliance standards and retain port forwarding to the PBX you are required to have encrypted communication done with a Trusted CA Signed Certificate using modern levels of encryption. With LetsEncrypt SSL Certificate functionality brought into MX Version 15.x you can utilize 15.0.6 to disable TLS1.0 and LE Cert to pass the vulnerability scan.
Note that the vulnerability scan will hit all open ports several times and will get placed into the Zultys blacklist. PCI Scans do not allow DOS protection to be acceptable “vulnerability mitigations” and therefore requires you whitelist their scanning IPs so they can ensure proper protections are in place. This can be done under the Provision > Network Security area.
To Enable/Disable TLS 1.0 - (Zultys KBS ID: PE-108)
Under MX Administrator > Provision > System Settings > Miscellaneous look at the bottom of the window for the “Security” section. The checkbox “Backward compatibility mode” should be looked at.
- When this is enabled TLS 1.0 & TLS 1.2+ are enabled, and the Zultys default security certificate is SHA1.
- Wehn this is disabled TLS 1.0 is NOT enabled, only TLS 1.2+ supported, the Zultys default security certificate = SHA256.
NOTE: Changing this parameter will require a restart of the MX in order for the change to take effect.
NOTE: This checkbox also affects the Zultys default security certificate SHA support. Please see MX-4609 for the details.
With the above completed, and the Scanner IPs whitelisted the only vulnerability found will be CVE-2000-0649 which is specifically for IIS 4.0 but affects NGINX as well. (See https://whittlecorn.com/2016/02/03/a-possible-fix-for-cve-2000-0649-in-nginx/). A control will need to be created and proper LAN Segmentation of the MX from any CDE data in order to properly pass the vulnerability scan. Note that a ticket was submitted to Zultys and a fix for this issue will be released in the next version