Is there a way to disable SSLv3 and TLSv1.0 support for the PRTG Web server? And can I disable the S

Hi Matt,

PRTG supports SSL connections via TLS 1.2 since version 14.x.12 or later. If you are using an older version, update to the latest release to enable the new security features.

For more detailed information, please have a look at the PRTG Network Monitor Security Features

Best regards, Felix

Felix,

I'm on the current version (15.3.18.3616). I know it supports the newer versions, my problem is that it also still supports the old versions. I need PRTG to not support the old versions.

In searching for an answer, I found a webpage that listed a fix from you that I couldn't find in the Paessler KB. It references "OverrideSSLVersion" and "OverrideSSLCipher" registry entries. Would these be a possible solution for removing SSLv3 and TLSv1.0 support from my PRTG installation?

Hi,

This won't be necessary as the webserver rejects SSLv3 connections. Please check the Setup > System Administration > User Interface > Web Server > SSL Security" setting. This needs to be set as "High Security" in order to only accept TLS 1.2 encryption.

Best regards

I made the suggested setting change and it would appear that TLS1.0 is still supported. Running a scan on https://www.ssllabs.com/ssltest, as well as the scan run by our payment processor both show that TLS 1.2, 1.1, and 1.0 are all supported. However, SSL 2 and 3 have been successfully disabled.

Hi Matt,

I just discussed this case with our development and you are correct, TLS 1.0 and TLS 1.1 connections are accepted by the PRTG webserver within the current version of PRTG.

Best regards, Felix

So is there a way I can disable TLS 1.0?

We are currently working on a solution to block TLS 1.0. Meanwhile, this needs to either be configured on a firewall or the client machines. You might want to follow This Article to disable TLS 1.0 in the web browser. Please bear with us.

Best regards, Felix

Has there been any update to this issue? We are running into the same issue, preventing us from passing our PCI-DSS Penetration Test?

Hi,

TLS 1.0 connections still need to be disabled on the client machine or within a firewall inbetween, sorry.

Best regards,

any update on this?

Dear Kube,

I'm afraid that we don't have an update yet.

Best regards, Felix

Hi team. Has there been any movement on this? This issue is now nearly 1 year old and failing PCI scans is becoming harder to justify for such a simple issue.

Hi Andre,

It's currently being worked on to be released later this year in case all goes well.

Kind regards.

Hi, do you have any updated ETA on this? Since the SSL Security Check sensor in PRTG itself now is flagging TLSv1 as Weak, I have no way of correcting this warning without removing the remote monitoring of our PRTG installation.

Hi runnane,

Yes, we just released 16.4.27.6720 where you can change how the sensor rates TLS 1.0.

Do an update check in PRTG and install the new version, then you can apply the new settings.

Kind regards,

Erhard

Dear PRTG,

Are you serious? You determine TLS 1.0 as weak but don't support deactivating it in your own software??? And your solution is to manipulate the rating?

Wow...

Dear Dennis,

Of course we are aware of the irony. Just to be clear: This workaround has not been implemented due to the circumstance that PRTG does not support deactivating TLS 1.0 for its own webserver at the moment.

The thing is, there are many users out there and while some need the sensor to sound the alarm when TLS1.0 is supported, others do not want this or at least not for every device for several reasons. Now instead of instructing how to tinker manually with the used lookups in the sensor, we decided to provide alternate lookups ourselves to switch the behavior. Otherwise -once you use selfmade lookups- future changes to the sensor may not work because of the custom lookups.

As for "our homework" regarding TLS1.0: We are working on deactivating TLS 1.0 for PRTG, but it's a little more complicated than just flicking a switch since there are several dependencies around that which have further implications that might even break certain sensors if we would just shut off TLS1.0.

Kind regards,

Erhard

Hi,

Is there an update to this? Or a time-frame at the least? We also require this.

Hi Matt,

You're got mail.

Kind regards,

Erhard

Hi Erhard,

we are also interested for a update or a solution.

Thank You.

Best regards, Sebastian

@Sebastian: You've got mail.

Kind regards,

Erhard

Hi guys. Any update on this? PRTG is causing my PCI scan to fail and I really need to disable TLS1.0 and SSL3.

Hi Andre,

You too have got mail.

Kind regards,

Erhard

Could i get mail as well regarding this issue? Thanks

Hi Matt,

Sure, you've got mail.

Kind regards,

Erhard

Hi Erhard,

I'm also interested in a solution to disable TLS 1.0

Regards.

Hi Bruno,

Sure, you've got mail.

Kind regards,

Erhard

Hi Erhard, I also need a solution to disable TLS 1.0. Best,

Hi Erhards. May I also get a solution to disable TLS1.0 on my system? Thank you, best regards.

Hi jvazac,

Sure, you've got mail.

Kind regards,

Erhard

Hi Erhard, I would also like this solution. Thanks.

Hi ebeville,

Sure, you've got mail.

Kind regards,

Erhard

Hi,

Would it be possible to receive the solution as well please?

Many Thanks,

Aston

Please keep working on a solution. Cert scans are failing on PRTG. I can't pass PCI DSS this year if I also run PRTG. Also put me on the mailing list. Thanks

Hello Aston, hello lwdbos,

Both of you got mail to your email addresses used for registering in our knowledgebase.

Kind regards,

Erhard

We also need to disable TLS1 and 1.1 as we are being dinged on 3rd party security scans required for our audit.

Hello Cory,

You've got mail.

Kind regards,

Erhard

Can I please have the solution to this as also failing PCI

Hello Dan,

And you too have got mail.

Kind regards,

Erhard

I need to remove TLS 1.0 as well. Would you please email me the information ? Thanks

Can i get this as well. thanks

@wdkunkin & kube1984: You've got mail.

Kind regards,

Erhard

Hi, can you please help me as well?? I need to pass our audit!

Dear Tan, because we are already in email contact with you, I suggest to keep on that communication source.

Best,
Sebastian

Hi. I'd be interested in how we can disable TLS 1.0.

Hi mchapman,

You've got mail.

Kind regards,

Erhard

We are also facing PCI DSS and need to disable. Can I please get the e-mail? /Andreas

Hello Andreas,

Sure, mail just went out.

Kind regards,

Erhard

Hi, Please also send me the email.

My InfoSec team just said this server is causing us to fail our PCI external scans. Any update on this capability being built in yet or can I get the email that seems to have a solution?

Check your mailbox TCS-Obrien, you got mail.

So, why don't we just post the solution instead of sending individual emails? I'm failing security scans too since I can't disable TLS 1.0 on PRTG.

Please can you also send the solution to disable TL1.0

thanks

We would also like the solution. Could you please email it to me as well? Thank you.

Can I also receive this email...

Another request for the secret email, please!

Everybody should have received the instructions, otherwise please let us know in case we overlooked someone.

Kind regards,

Erhard

Hello Erhard,

Could I have this mystery email also? :-)

Thanks in advance!

Regards Mikkel

Hi Mikkel,

Erhard is not here today, but I just sent the information. :)

Best regards, Felix

Can I also be sent the fix? Thanks

Hi mspitz,

You've got mail.

Kind regards,

Erhard

Please, forward the email to me also.

Thanks,

Hans

Can I have the fix too please.

Craig & Hans, you've got mail.

Kind regards,

Erhard

Hi Erhard,

I need your email also ;-)

Thanks, Rainer

Can I have the fix too please.

Please can you send me the fix - I need TLS1.0 to be gone from my systems.

thanks.

Hello Phil,

You've got mail.

Kind regards,

Erhard

I would also like the fix.

Thank you.

Hello Brian,

You've got mail.

Kind regards,

Erhard

Could you send me the fix to?

Kind regards, Jeroen

Hello Jeroen,

You've got mail.

Kind regards,

Erhard

Hi Erhard, I need your email also to disable TLS 1.0 ;-) Thanks, Nathan

Hi Nathan,

Sure, you've got mail.

Kind regards,

Erhard

Hi Erhard, I'd like this too.

thanks, Bruce.

Hi Bruce,

Mail's out.

Kind regards,

Erhard

We need to solution to disable TLS 1.0 on PRTG. Thanks

Hello cheejack_ng,

You've got mail.

Kind regards,

Erhard

Hi Erhard,

can you share that with me as well?

Hi unraveller,

Yes, I can and I just did (mail's out) :)

Kind regards,

Erhard

I would like instructions on how to disable tls 1.0.

Hello dquick,

You've got mail.

Kind regards,

Erhard

Hi, Please could you send the instruction to myself as well?

Thanks Mark

Can I also get the instructions how to disable TLS 1.0 please? many thanks

One more for these secret cannot be posted instructions.

Hi Erhard, Could you pass details on for this to me? need to pass our audit.

You'd save yourselves a bit of work, and customers a bit of time having to register for a forum account, if you'd simply release a knowledgebase article. In the meantime, can you email me the instructions, please?

I sent the instructions to both of you.

Best regards, Felix

Can I have the secret magic email too please.

Can I have the fix too please.

The "Magic Mail" got sent. :)

May I too have this magic to disable TLS 1.0? :)

Can I have the fix too please.

Hello Martin,

You've got mail.

Kind regards,

Erhard

Can some one send me the steps to disabling TLS 1.0

Hello Ernesto,

You've got mail.

Kind regards,

Erhard

Can I please also get this magic email to disable TLS 1.0?

Thanks!

Hello radumelnic,

Please check your emails.

Best,
Sebastian

please send me the fix, also failing PCI scans as need to disable

•The following SSL/TLS cipher suites use Diffie-Hellman a prime modulus smaller than 2048 bits: •TLS 1.0 ciphers: •TLS_DHE_RSA_WITH_AES_256_CBC_SHA with a Diffie-Hellman prime modulus of 1024 bits

•TLS 1.1 ciphers: •TLS_DHE_RSA_WITH_AES_256_CBC_SHA with a Diffie-Hellman prime modulus of 1024 bits

We also need to disable tls 1.1 for PCI scanning

Hi Mike,

You've got mail.

Kind regards,

Erhard

Why hasn't the solution to disable TLS 1.0 not been posted publicly? It seems a little ridiculous that your emailing each individual customer with the solution. Can I please get this secret information update sent to me?

Can I get the email too?

@rcary: You've got mail.

@unluck: Point taken. Since the workaround has a few culprits like Enterprise Console not working anymore, we decided to not publish it and only give it out to people explicitly asking for it, you could have also sent us an email about it.

Thing is, depending on how it will be finally implemented later in PRTG, we might need to contact the users who have applied the "reghack" to adjust something (if necessary, you never know....).

By handling it like this, we can at least keep track of the people who were handed out the details so far.

Kind regards,

Erhard

We also need to disable TLSv1.0 - can I get the Mail? Steffen

Hi Steffen,

You've got mail.

Kind regards,

Erhard

Hi,

Please can you send me the relevant info too?

Thanks,

Nik

Hi Nik,

Sure, mail's out.

Kind regards,

Erhard

I would like this super secret email please.

Hello pjs5406,

You've got mail.

Kind regards,

Erhard

Please send us these instructions.

Hello Kenneth,

You've got mail.

Kind regards,

Erhard

can i have the instructions please

Please also send the instructions to me.

Kind Regards, Thomas.

Hi Thomas,

You've got mail.

Kind regards,

Erhard

Can you send me this email?

Best regards, Ernest

Hi Ernest,

Sure, you've got mail.

Kind regards,

Erhard

Could I also have the secret squirrel email please... :)

Hi Michael,

Yes, you can ^^

Kind regards,

Erhard

I don't understand why the solution can't be posted but can you send me the method to disable TLS1.0. TLS1.0 fails PCI so this should be published for all...

Dear 87racer,

Mail's out and here's why we don't post the details publicly (yet).

Kind regards,

Erhard

Hello,

I would also like to have this email.

Thanks!

Hi Phil,

You've got mail.

Kind regards,

Erhard

I need the fix. Thanks in advance

Manny, you got mail as well.

Best regards, Felix

Can I please also have the TLS 1.0 disable fix ? Thanks

Hi unibe_sec_team,

You've got mail.

Kind regards,

Erhard

Can I please also have the TLS 1.0 disable fix ? Thanks Its a pain for our PCI compliance

Hello Wayne,

You've got mail.

Kind regards,

Erhard

Can I please also have the TLS 1.0 disable fix ? Our PCI scans keep failing. Thanks

Hi Coop888,

You've got mail.

Kind regards,

Erhard

Can I get te mail also to disable TLSv1.0?

Kind regards,

Patrick

Hi Patrick,

Sure, mail's out.

Kind regards,

Erhard

I need the instruction too. Regards, Michal

Hello Michal,

You've got mail.

Kind regards,

Erhard

I am running 17.3.32.2478 and need the instructions as well

Hello Harleytek,

You've got mail.

Kind regards,

Erhard

Hi Erhard,

I'm running PRTG Network Monitor 17.3.33.2830+ do you have also an email for me, to disable TLS 1.0?

Kind Regards Michael

Hi Michael,

Sure, mail's out.

Kind regards,

Erhard

Hello, i am amazed at the fact this thread is now 3 years old is mostly mailing out the solution. But alas, i too need this email please

You got mail Samuel.

Best regards, Felix

Please send me the solution.

Please send me the temporary fix also. Thank you, Tom

Hi guys, please send me the solution to disabling TLS1.0 thanks, Ross

Hello, would you be so kind to forward over the solution to the TLS1.0 fix? Thank you!

Please send me the fix for the solution to TLS 1.0 issue. Thanks! -Sam

Hi Sam,

Youve got mail.

Kind regards,

Erhard

Hi,

Please can you also send the solution to disable TL1.0

Many thanks

Best Regards, Carlo

Please send me the fix too! Thanks

May I have the mail also please?

Thanks,

May I please get this email?

Please send me the email. Thanks

Hi, Please can you also send the solution to disable TL1.0 Many thanks Best Regards, Dave

Hi, Please can you also send the solution to disable TL1.0

Thanks

Please send me the solution to disable TL1.0

Hi,

Please can you also send the solution to disable TL1.0 Need it for Windows (IIS), Ubuntu and Debian (apache2)

Thanks

Hi kranzfr3d,

I can send you instructions for how to disable TLS 1.0 for PRTG's webserver, not for other webservers. PRTG has a webserver of its own, it's neither IIS nor Apache based.

Kind regards,

Erhard

Can you please intructions on how to disable TLS1.0 on the PRTG webserver. Thanks

Mahesh

Can I also get these instructions emailed. Thanks in advance.

May I please have the secret recipe to disable TLS 1.0 and SSLv3? Thanks!

Could we get the intructions also, please?

Thanks.

May I please have the secret recipe to disable TLS 1.0 and SSLv3? Thanks!

Can you please send me the instructions? Thanks!

Dear PRTG team, can i also get the instructions to disable TLS1.0? thanks for this great tool!!!

Dear PRTG Team,

can I also get instruction to Disable TSL1.0?

Thanks

Please also send me the mystery email that disables TLS 1.0. We are also failing PCI scans. Thanks!

Hi PRTG Team,

Please can I be sent the mystery secret email as well.

Thanks, Rick

I need the secret email too. Thanks

Is there any progress on being able to disable TLS 1.0 without it removing functionality?

Hi Martin,

The options to disable TLS1.0 will officially find their way into version 18.x.43 if all goes well (ETA August 2018), so there is no more tinkering with the registry required. What will not change is that Enterprise Console will no longer work with TLS1.0 disabled, as Enterprise Console is no longer under active development and will be replaced by Desktop Client that is already available for beta testing.

Kind regards,

Erhard

As with many others, I too need to remove TLS1.0 from my PRTG probes and servers. May I please have the email detailing how to do this sent to me? Thank you.

Hi there,

Sure, you'll receive the mail soon.

Best regards, Felix

Can I also have the super-secret email, please?

18.3.43.x is now out - does this contain the fix or are we waiting for a different release?

Please May I also have this Work Around .

PRTG version 18.x.43 does not yet contain the new webserver settings, it will be part in one of the upcoming releases though. Thanks for bearing with us!

Best regards, Felix

Hello

Could you please send me the email also please?

Thank you

Neville

Can I please request the PRTG registry fix for tls 1.0?

Could I get the intructions also, please?

Best regards Michael

Could i please get the email for the "fix"

Hi support can i have email with fix?

Thx

It's already integrated in the latest version of PRTG, update you instance and change the settings via the Setup > System Administration > Web Interface page.

Kind regards,
Felix Saure, Tech Support Team

We are on version 19.2.50.2842. If I go to Setup -> System Admin -> User Interface -> Web Interface, the setting there for "High Security" still allows TLS 1.1, i.e.:

High security (TLS 1.1, TLS 1.2)

This issue arose in August 2015. Can we please get a serious response to this need?

Dong,

Can you please update to the latest version of PRTG?

Benjamin Day
Paessler Support

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. This server supports TLS 1.1. Grade capped to B.

What is the timeline to be able to turn off TLS 1.1 and the weaker DH keys? Running latest version: PRTG Network Monitor 19.4.54.1506 x64

Belz,

Setup > System Administration > User Interface > Web Server > Connection Security" setting.
This needs to be set as "Default Security" or "High Security" in order to only accept TLS 1.2 encryption.
This is in the latest stable release of PRTG, 20.1.55.1775.

Benjamin Day
Technical Support

We are running 20.1.56.1547+, and are set to High Security, but the weak keys are still being used. Grade from SSLLABS still capped at a B due to that. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp384r1 (eq. 7680 bits RSA) FS 128 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp384r1 (eq. 7680 bits RSA) FS 256

Timeline for the weak keys to be disabled/remove, or at least have a toggle as to which keys to allow?

Hello

I'm in version 20.1.55.1775. set the connection security to high security TLS1.2 but I still get TLS1.0 and 1.1 enabled. Any way to solve this?

Regards Ricardo

Ricardo

Please update to the latest version of PRTG, 20.1.57, and try if this still persists, please open a support ticket.

Benjamin Day
Paessler Support

i got the same issue, what is the secret to solve this ? High security (TLS 1.2) acitvated

SSLABS ->
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

and i'm running PRTG Network Monitor 20.3.60.1623 x64

regards, Jannick

Jannick,

Can you please update to the latest stable release of PRTG, and try this again?

Benjamin Day
[Paessler Support]

May I please get the email on disabling TLS 1.0 for version 14.3. we have it running just for ICMP polling on an environment and no need to upgrade at this time.

Miguel,

At this time we only support versions with active maintenance and released within the last calendar year.

Benjamin Day
[Paessler Support]

Hi Could i have the hidden fix as this is also causing me issues with pci compliance

Vince,

In the current stable release of PRTG, the default web server security setting is to use only TLS 1.2. So as long as you're running version 22.2.77, you should be good to go.

Benjamin Day
[Paessler Support]

Hi, may I have the magic fix to disable tls1.0 on older PRTG too? Thanks.