Troubleshooting tip: PCI scans fail with TLS v1.0

mle2802 · ‎09-22-2023

Description

This article describes the reason why PCI scan fails due to TLS v1.0 even though the minimum TLS version of 1.3 is configured for web admin and SSL VPN.

Scope

FortiGate.

Solution

In some cases, the min TLS version of 1.3 is used for web-GUI and SSL VPN, but the PCI scans still fail because TLS v1.0 is used.

For example:

X.X.X.X:3389 Negotiated with the following insecure cipher suites: TLS 1.0 ciphers:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA

Double-checking configuration in this scenario, found that there is a VIP on port 3389 for RDP to a server behind a FortiGate:

config firewall vip

edit "RDP-ADMIN-In"

set extip “X.X.X.X”

set mappedip "X.X.X.X”

set extintf "port1"

set portforward enable

set extport 3389

set mappedport 3389

Since the destination server is not FortiGate one cannot control the TLS version used. This configuration should be checked on the internal server that is doing RDP in this scenario.

Note:
For changing the TLS version for RDP on Windows Server, refer to this link:

https://social.technet.microsoft.com/Forums/en-US/ff98d296-42cb-4f4d-a69f-c8dea82453ad/how-windows-s...

Troubleshooting tip: PCI scans fail with TLS v1.0

You are leaving our website