Overview
Administrators may fail PCI compliance scans because a deprecated TLS protocol is still enabled on the Kerio VPN port 4090. The older versions of TLS could be affected by multiple cryptographic flaws. This article covers the steps to properly disable any TLS versions.
Solution
- Establish an SSH connection to the Kerio Control box.
- Execute the following line:
/opt/kerio/winroute/tinydbclient "update SSL set DisabledProtocols='SSLv2,SSLv3,TLSv1,TLSv1_1'" - Reboot Kerio Control using the command below or any other way:
/etc/boxinit.d/60winroute restart
Testing
Once all the changes have been completed and saved, and a restart of Kerio Control was performed, reattempt the PCI compliance scan.