PCI compliance Fortimail firmware 5.2

I updated the firmware after I ran the set strong-crypto,, I just ran the command again and the PCI scan is now clean??

**I recommend you register over at the new FUSE Forums**

Kmartin wrote:

Trustwave's PCI scan keeps failing on my Fortimail 200D 5.2 - 458 with the following CVE's 2015-2808(SSL/TLS weak encryption Algorithms), 2014-2566(SSL/TLS weak encryption Algorithms), 2014-3566 (SSLv3 supported). I have enable strong-Crypto, and had my dispute approved for TLSv1.0 but these last 3 are giving me headaches....

I assume here you are referring to SMTPS not the GUI, as these protocols should be 

The problem with Audit scans like this is they are normally designed with HTTPS Web sites with payment processing involved.   Like it or not, email is traditionally an insecure protocol.   If you enforce blocking of SSLv3/TLS1.0 in an email environment, the result is normally that the remote server will just downgrade the connection to SMTP which is self defeating.  

However, we added commands to help you here in 5.2.5

config sys global

  set ssl-versions tls1_2    <-select the required versions

end

I still don't recommend it as you will I think we are a way off before we can drop all of these legacy protocols without issue, this is why FortiMail supports IBE for when security is an absolute requirement.