We keep failing PCI DSS external network scans because they detect that SSLv3 and TLSv1.0 are supported by the PRTG Web server, as well as the PRTG Demo Certificate still using the SHA-1 signature algorithm. Is it possible to disable support for these protocols/algorithm?
Is there a way to disable SSLv3 and TLSv1.0 support for the PRTG Web server? And can I disable the S
Best Answer
Option for disabling TLS1.0 is now available starting with version 18.3.44.2054.
Created on Sep 12, 2018 8:43:01 AM by
Erhard Mikulik [Paessler Support]
Last change on Sep 24, 2018 2:13:01 PM by
Erhard Mikulik [Paessler Support]
197 Replies
Hi Matt,
PRTG supports SSL connections via TLS 1.2 since version 14.x.12 or later. If you are using an older version, update to the latest release to enable the new security features.
For more detailed information, please have a look at the PRTG Network Monitor Security Features
Best regards, Felix
Felix,
I'm on the current version (15.3.18.3616). I know it supports the newer versions, my problem is that it also still supports the old versions. I need PRTG to not support the old versions.
In searching for an answer, I found a webpage that listed a fix from you that I couldn't find in the Paessler KB. It references "OverrideSSLVersion" and "OverrideSSLCipher" registry entries. Would these be a possible solution for removing SSLv3 and TLSv1.0 support from my PRTG installation?
Hi,
This won't be necessary as the webserver rejects SSLv3 connections. Please check the Setup > System Administration > User Interface > Web Server > SSL Security" setting. This needs to be set as "High Security" in order to only accept TLS 1.2 encryption.
Best regards
I made the suggested setting change and it would appear that TLS1.0 is still supported. Running a scan on https://www.ssllabs.com/ssltest, as well as the scan run by our payment processor both show that TLS 1.2, 1.1, and 1.0 are all supported. However, SSL 2 and 3 have been successfully disabled.
Hi Matt,
I just discussed this case with our development and you are correct, TLS 1.0 and TLS 1.1 connections are accepted by the PRTG webserver within the current version of PRTG.
Best regards, Felix
So is there a way I can disable TLS 1.0?
We are currently working on a solution to block TLS 1.0. Meanwhile, this needs to either be configured on a firewall or the client machines. You might want to follow This Article to disable TLS 1.0 in the web browser. Please bear with us.
Best regards, Felix
Has there been any update to this issue? We are running into the same issue, preventing us from passing our PCI-DSS Penetration Test?
Hi,
TLS 1.0 connections still need to be disabled on the client machine or within a firewall inbetween, sorry.
Best regards,
any update on this?
Dear Kube,
I'm afraid that we don't have an update yet.
Best regards, Felix
Hi team. Has there been any movement on this? This issue is now nearly 1 year old and failing PCI scans is becoming harder to justify for such a simple issue.
Hi Andre,
It's currently being worked on to be released later this year in case all goes well.
Kind regards.
Hi, do you have any updated ETA on this? Since the SSL Security Check sensor in PRTG itself now is flagging TLSv1 as Weak, I have no way of correcting this warning without removing the remote monitoring of our PRTG installation.
Hi runnane,
Yes, we just released 16.4.27.6720 where you can change how the sensor rates TLS 1.0.
Do an update check in PRTG and install the new version, then you can apply the new settings.
Kind regards,
Erhard
Dear PRTG,
Are you serious? You determine TLS 1.0 as weak but don't support deactivating it in your own software??? And your solution is to manipulate the rating?
Wow...
Dear Dennis,
Of course we are aware of the irony. Just to be clear: This workaround has not been implemented due to the circumstance that PRTG does not support deactivating TLS 1.0 for its own webserver at the moment.
The thing is, there are many users out there and while some need the sensor to sound the alarm when TLS1.0 is supported, others do not want this or at least not for every device for several reasons. Now instead of instructing how to tinker manually with the used lookups in the sensor, we decided to provide alternate lookups ourselves to switch the behavior. Otherwise -once you use selfmade lookups- future changes to the sensor may not work because of the custom lookups.
As for "our homework" regarding TLS1.0: We are working on deactivating TLS 1.0 for PRTG, but it's a little more complicated than just flicking a switch since there are several dependencies around that which have further implications that might even break certain sensors if we would just shut off TLS1.0.
Kind regards,
Erhard
Created on Oct 13, 2016 3:31:32 PM by
Erhard Mikulik [Paessler Support]
Last change on Oct 13, 2016 3:35:57 PM by
Erhard Mikulik [Paessler Support]
Hi,
Is there an update to this? Or a time-frame at the least? We also require this.
Hi Matt,
You're got mail.
Kind regards,
Erhard
Created on Feb 1, 2017 1:40:09 PM by
Erhard Mikulik [Paessler Support]
Last change on Feb 1, 2017 1:40:22 PM by
Erhard Mikulik [Paessler Support]
Hi Erhard,
we are also interested for a update or a solution.
Thank You.
Best regards, Sebastian
@Sebastian: You've got mail.
Kind regards,
Erhard
Hi guys. Any update on this? PRTG is causing my PCI scan to fail and I really need to disable TLS1.0 and SSL3.
Hi Andre,
You too have got mail.
Kind regards,
Erhard
Could i get mail as well regarding this issue? Thanks
Hi Matt,
Sure, you've got mail.
Kind regards,
Erhard
Hi Erhard,
I'm also interested in a solution to disable TLS 1.0
Regards.
Hi Bruno,
Sure, you've got mail.
Kind regards,
Erhard
Hi Erhard, I also need a solution to disable TLS 1.0. Best,
Hi Erhards. May I also get a solution to disable TLS1.0 on my system? Thank you, best regards.
Hi jvazac,
Sure, you've got mail.
Kind regards,
Erhard
Hi Erhard, I would also like this solution. Thanks.
Hi ebeville,
Sure, you've got mail.
Kind regards,
Erhard
Hi,
Would it be possible to receive the solution as well please?
Many Thanks,
Aston
Please keep working on a solution. Cert scans are failing on PRTG. I can't pass PCI DSS this year if I also run PRTG. Also put me on the mailing list. Thanks
Hello Aston, hello lwdbos,
Both of you got mail to your email addresses used for registering in our knowledgebase.
Kind regards,
Erhard
We also need to disable TLS1 and 1.1 as we are being dinged on 3rd party security scans required for our audit.
Hello Cory,
You've got mail.
Kind regards,
Erhard
Can I please have the solution to this as also failing PCI
Hello Dan,
And you too have got mail.
Kind regards,
Erhard
I need to remove TLS 1.0 as well. Would you please email me the information ? Thanks
Can i get this as well. thanks
@wdkunkin & kube1984: You've got mail.
Kind regards,
Erhard
Hi, can you please help me as well?? I need to pass our audit!
Dear Tan, because we are already in email contact with you, I suggest to keep on that communication source.
Best,
Sebastian
Hi. I'd be interested in how we can disable TLS 1.0.
Hi mchapman,
You've got mail.
Kind regards,
Erhard
We are also facing PCI DSS and need to disable. Can I please get the e-mail? /Andreas
Hello Andreas,
Sure, mail just went out.
Kind regards,
Erhard
Hi, Please also send me the email.
My InfoSec team just said this server is causing us to fail our PCI external scans. Any update on this capability being built in yet or can I get the email that seems to have a solution?
Check your mailbox TCS-Obrien, you got mail.
So, why don't we just post the solution instead of sending individual emails? I'm failing security scans too since I can't disable TLS 1.0 on PRTG.
Please can you also send the solution to disable TL1.0
thanks
We would also like the solution. Could you please email it to me as well? Thank you.
Can I also receive this email...
Another request for the secret email, please!
Everybody should have received the instructions, otherwise please let us know in case we overlooked someone.
Kind regards,
Erhard
Hello Erhard,
Could I have this mystery email also? :-)
Thanks in advance!
Regards Mikkel
Hi Mikkel,
Erhard is not here today, but I just sent the information. :)
Best regards, Felix
Can I also be sent the fix? Thanks
Hi mspitz,
You've got mail.
Kind regards,
Erhard
Please, forward the email to me also.
Thanks,
Hans
Can I have the fix too please.
Craig & Hans, you've got mail.
Kind regards,
Erhard
Hi Erhard,
I need your email also ;-)
Thanks, Rainer
Can I have the fix too please.
Please can you send me the fix - I need TLS1.0 to be gone from my systems.
thanks.
Hello Phil,
You've got mail.
Kind regards,
Erhard
I would also like the fix.
Thank you.
Hello Brian,
You've got mail.
Kind regards,
Erhard
Could you send me the fix to?
Kind regards, Jeroen
Hello Jeroen,
You've got mail.
Kind regards,
Erhard
Hi Erhard, I need your email also to disable TLS 1.0 ;-) Thanks, Nathan
Hi Nathan,
Sure, you've got mail.
Kind regards,
Erhard
Hi Erhard, I'd like this too.
thanks, Bruce.
Hi Bruce,
Mail's out.
Kind regards,
Erhard
We need to solution to disable TLS 1.0 on PRTG. Thanks
Hello cheejack_ng,
You've got mail.
Kind regards,
Erhard
Hi Erhard,
can you share that with me as well?
Hi unraveller,
Yes, I can and I just did (mail's out) :)
Kind regards,
Erhard
I would like instructions on how to disable tls 1.0.
Hello dquick,
You've got mail.
Kind regards,
Erhard
Hi, Please could you send the instruction to myself as well?
Thanks Mark
Can I also get the instructions how to disable TLS 1.0 please? many thanks
One more for these secret cannot be posted instructions.
Hi Erhard, Could you pass details on for this to me? need to pass our audit.
You'd save yourselves a bit of work, and customers a bit of time having to register for a forum account, if you'd simply release a knowledgebase article. In the meantime, can you email me the instructions, please?
I sent the instructions to both of you.
Best regards, Felix
Can I have the secret magic email too please.
Can I have the fix too please.
The "Magic Mail" got sent. :)
May I too have this magic to disable TLS 1.0? :)
Can I have the fix too please.
Hello Martin,
You've got mail.
Kind regards,
Erhard
Can some one send me the steps to disabling TLS 1.0
Hello Ernesto,
You've got mail.
Kind regards,
Erhard
Can I please also get this magic email to disable TLS 1.0?
Thanks!
Hello radumelnic,
Please check your emails.
Best,
Sebastian
please send me the fix, also failing PCI scans as need to disable
•The following SSL/TLS cipher suites use Diffie-Hellman a prime modulus smaller than 2048 bits: •TLS 1.0 ciphers: •TLS_DHE_RSA_WITH_AES_256_CBC_SHA with a Diffie-Hellman prime modulus of 1024 bits
•TLS 1.1 ciphers: •TLS_DHE_RSA_WITH_AES_256_CBC_SHA with a Diffie-Hellman prime modulus of 1024 bits
We also need to disable tls 1.1 for PCI scanning
Hi Mike,
You've got mail.
Kind regards,
Erhard
Why hasn't the solution to disable TLS 1.0 not been posted publicly? It seems a little ridiculous that your emailing each individual customer with the solution. Can I please get this secret information update sent to me?
Can I get the email too?
@rcary: You've got mail.
@unluck: Point taken. Since the workaround has a few culprits like Enterprise Console not working anymore, we decided to not publish it and only give it out to people explicitly asking for it, you could have also sent us an email about it.
Thing is, depending on how it will be finally implemented later in PRTG, we might need to contact the users who have applied the "reghack" to adjust something (if necessary, you never know....).
By handling it like this, we can at least keep track of the people who were handed out the details so far.
Kind regards,
Erhard
We also need to disable TLSv1.0 - can I get the Mail? Steffen
Hi Steffen,
You've got mail.
Kind regards,
Erhard
Hi,
Please can you send me the relevant info too?
Thanks,
Nik
Hi Nik,
Sure, mail's out.
Kind regards,
Erhard
I would like this super secret email please.
Hello pjs5406,
You've got mail.
Kind regards,
Erhard
Please send us these instructions.
Hello Kenneth,
You've got mail.
Kind regards,
Erhard
can i have the instructions please
Please also send the instructions to me.
Kind Regards, Thomas.
Hi Thomas,
You've got mail.
Kind regards,
Erhard
Can you send me this email?
Best regards, Ernest
Hi Ernest,
Sure, you've got mail.
Kind regards,
Erhard
Could I also have the secret squirrel email please... :)
Hi Michael,
Yes, you can ^^
Kind regards,
Erhard
I don't understand why the solution can't be posted but can you send me the method to disable TLS1.0. TLS1.0 fails PCI so this should be published for all...
Dear 87racer,
Mail's out and here's why we don't post the details publicly (yet).
Kind regards,
Erhard
Hello,
I would also like to have this email.
Thanks!
Hi Phil,
You've got mail.
Kind regards,
Erhard
Created on Sep 18, 2017 8:07:03 PM by
Erhard Mikulik [Paessler Support]
Last change on Sep 18, 2017 8:07:22 PM by
Erhard Mikulik [Paessler Support]
I need the fix. Thanks in advance
Manny, you got mail as well.
Best regards, Felix
Can I please also have the TLS 1.0 disable fix ? Thanks
Hi unibe_sec_team,
You've got mail.
Kind regards,
Erhard
Can I please also have the TLS 1.0 disable fix ? Thanks Its a pain for our PCI compliance
Hello Wayne,
You've got mail.
Kind regards,
Erhard
Can I please also have the TLS 1.0 disable fix ? Our PCI scans keep failing. Thanks
Hi Coop888,
You've got mail.
Kind regards,
Erhard
Can I get te mail also to disable TLSv1.0?
Kind regards,
Patrick
Hi Patrick,
Sure, mail's out.
Kind regards,
Erhard
I need the instruction too. Regards, Michal
Hello Michal,
You've got mail.
Kind regards,
Erhard
I am running 17.3.32.2478 and need the instructions as well
Hello Harleytek,
You've got mail.
Kind regards,
Erhard
Hi Erhard,
I'm running PRTG Network Monitor 17.3.33.2830+ do you have also an email for me, to disable TLS 1.0?
Kind Regards Michael
Hi Michael,
Sure, mail's out.
Kind regards,
Erhard
Hello, i am amazed at the fact this thread is now 3 years old is mostly mailing out the solution. But alas, i too need this email please
You got mail Samuel.
Best regards, Felix
Please send me the solution.
Please send me the temporary fix also. Thank you, Tom
Hi guys, please send me the solution to disabling TLS1.0 thanks, Ross
Hello, would you be so kind to forward over the solution to the TLS1.0 fix? Thank you!
Please send me the fix for the solution to TLS 1.0 issue. Thanks! -Sam
Hi Sam,
Youve got mail.
Kind regards,
Erhard
Hi,
Please can you also send the solution to disable TL1.0
Many thanks
Best Regards, Carlo
Please send me the fix too! Thanks
May I have the mail also please?
Thanks,
May I please get this email?
Please send me the email. Thanks
Hi, Please can you also send the solution to disable TL1.0 Many thanks Best Regards, Dave
Hi, Please can you also send the solution to disable TL1.0
Thanks
Please send me the solution to disable TL1.0
Hi,
Please can you also send the solution to disable TL1.0 Need it for Windows (IIS), Ubuntu and Debian (apache2)
Thanks
Hi kranzfr3d,
I can send you instructions for how to disable TLS 1.0 for PRTG's webserver, not for other webservers. PRTG has a webserver of its own, it's neither IIS nor Apache based.
Kind regards,
Erhard
Can you please intructions on how to disable TLS1.0 on the PRTG webserver. Thanks
Mahesh
Can I also get these instructions emailed. Thanks in advance.
May I please have the secret recipe to disable TLS 1.0 and SSLv3? Thanks!
Could we get the intructions also, please?
Thanks.
May I please have the secret recipe to disable TLS 1.0 and SSLv3? Thanks!
Can you please send me the instructions? Thanks!
Dear PRTG team, can i also get the instructions to disable TLS1.0? thanks for this great tool!!!
Dear PRTG Team,
can I also get instruction to Disable TSL1.0?
Thanks
Please also send me the mystery email that disables TLS 1.0. We are also failing PCI scans. Thanks!
Hi PRTG Team,
Please can I be sent the mystery secret email as well.
Thanks, Rick
I need the secret email too. Thanks
Is there any progress on being able to disable TLS 1.0 without it removing functionality?
Hi Martin,
The options to disable TLS1.0 will officially find their way into version 18.x.43 if all goes well (ETA August 2018), so there is no more tinkering with the registry required. What will not change is that Enterprise Console will no longer work with TLS1.0 disabled, as Enterprise Console is no longer under active development and will be replaced by Desktop Client that is already available for beta testing.
Kind regards,
Erhard
As with many others, I too need to remove TLS1.0 from my PRTG probes and servers. May I please have the email detailing how to do this sent to me? Thank you.
Hi there,
Sure, you'll receive the mail soon.
Best regards, Felix
Can I also have the super-secret email, please?
18.3.43.x is now out - does this contain the fix or are we waiting for a different release?
Please May I also have this Work Around .
PRTG version 18.x.43 does not yet contain the new webserver settings, it will be part in one of the upcoming releases though. Thanks for bearing with us!
Best regards, Felix
Hello
Could you please send me the email also please?
Thank you
Neville
Can I please request the PRTG registry fix for tls 1.0?
Could I get the intructions also, please?
Best regards Michael
Option for disabling TLS1.0 is now available starting with version 18.3.44.2054.
Created on Sep 12, 2018 8:43:01 AM by
Erhard Mikulik [Paessler Support]
Last change on Sep 24, 2018 2:13:01 PM by
Erhard Mikulik [Paessler Support]
Could i please get the email for the "fix"
Hi support can i have email with fix?
Thx
It's already integrated in the latest version of PRTG, update you instance and change the settings via the Setup > System Administration > Web Interface page.
Kind regards,
Felix Saure, Tech Support Team
We are on version 19.2.50.2842. If I go to Setup -> System Admin -> User Interface -> Web Interface, the setting there for "High Security" still allows TLS 1.1, i.e.:
High security (TLS 1.1, TLS 1.2)
This issue arose in August 2015. Can we please get a serious response to this need?
Dong,
Can you please update to the latest version of PRTG?
Benjamin Day
Paessler Support
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. This server supports TLS 1.1. Grade capped to B.
What is the timeline to be able to turn off TLS 1.1 and the weaker DH keys? Running latest version: PRTG Network Monitor 19.4.54.1506 x64
Belz,
Setup > System Administration > User Interface > Web Server > Connection Security" setting.
This needs to be set as "Default Security" or "High Security" in order to only accept TLS 1.2 encryption.
This is in the latest stable release of PRTG, 20.1.55.1775.
Benjamin Day
Technical Support
Created on Feb 14, 2020 2:36:32 AM by
Benjamin Day [Paessler Support]
(1,441)
●2
●1
Last change on Feb 14, 2020 2:39:52 AM by
Benjamin Day [Paessler Support]
(1,441)
●2
●1
We are running 20.1.56.1547+, and are set to High Security, but the weak keys are still being used. Grade from SSLLABS still capped at a B due to that. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp384r1 (eq. 7680 bits RSA) FS 128 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp384r1 (eq. 7680 bits RSA) FS 256
Timeline for the weak keys to be disabled/remove, or at least have a toggle as to which keys to allow?
Hello
I'm in version 20.1.55.1775. set the connection security to high security TLS1.2 but I still get TLS1.0 and 1.1 enabled. Any way to solve this?
Regards Ricardo
Ricardo
Please update to the latest version of PRTG, 20.1.57, and try if this still persists, please open a support ticket.
Benjamin Day
Paessler Support
i got the same issue, what is the secret to solve this ? High security (TLS 1.2) acitvated
SSLABS ->
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
and i'm running PRTG Network Monitor 20.3.60.1623 x64
regards, Jannick
Created on Sep 30, 2020 7:38:10 AM by
jannick
(0)
Last change on Sep 30, 2020 9:11:13 PM by
Benjamin Day [Paessler Support]
(1,441)
●2
●1
Jannick,
Can you please update to the latest stable release of PRTG, and try this again?
Benjamin Day
[Paessler Support]
May I please get the email on disabling TLS 1.0 for version 14.3. we have it running just for ICMP polling on an environment and no need to upgrade at this time.
Miguel,
At this time we only support versions with active maintenance and released within the last calendar year.
Benjamin Day
[Paessler Support]
Hi Could i have the hidden fix as this is also causing me issues with pci compliance
Vince,
In the current stable release of PRTG, the default web server security setting is to use only TLS 1.2. So as long as you're running version 22.2.77, you should be good to go.
Benjamin Day
[Paessler Support]
Hi, may I have the magic fix to disable tls1.0 on older PRTG too? Thanks.
Add comment