On sensors monitoring sites that only support TLS 1.1 and Newer

Our servers have previously been "SSL hardened". SSL 2/3 has already been disabled, many other custom configs to make it as secure as possible. Here's a good example config that should be supported: https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

PRTG is happy monitoring our websites & certs.

We now want to make one more change: we want to disable TLS 1.0. A hold back previously was that some web clients, such as WinXP/IE8 don't support TLS 1.1, but this is no longer of concern to us. Another anomaly we encountered was RDP from Windows 7 didn't support TLS 1.1, but luckily MS has a patch for that.

Our testing has also uncovered that PRTG's HTTP sensors don't work when we disable TLS 1.0. Here is the outcomes of what's happening with the latest HTTP Advanced Sensor when monitoring a site that requires SSL

TLS1.0 ON @ target, with Alternative Monitoring engine: OK TLS1.0 ON @ target, with Default Monitoring Engine: Failed to establish secure connection [Step 0] Socket Error # 10054 Connection reset by peer. [Step 1] Socket Error # 10054 Connection reset by peer. [Step 2] Socket Error # 10054 Connection reset by peer. [Step 3] Socket Error # 10054 Connection reset by peer. [Step 4] Socket Error # 10054 Connection reset by peer. [Unsecure] IOHandler value is not valid TLS1.0 OFF @ target, with Alternative Monitoring engine: The underlying connection was closed: An unexpected error occurred on a send. TLS1.0 OFF @ target, with Default Monitoring Engine: Failed to establish secure connection [Step 0] Socket Error # 10054 Connection reset by peer. [Step 1] Socket Error # 10054 Connection reset by peer. [Step 2] Socket Error # 10054 Connection reset by peer. [Step 3] Socket Error # 10054 Connection reset by peer. [Step 4] Socket Error # 10054 Connection reset by peer. [Unsecure] IOHandler value is not valid

I've seen there is a thread of similar behavior with the SSL Cert Expiry sensor, but as that is being deprecated and HTTP Advanced is one of my clients (and mine) favorite sensors. A big list of websites that are all responding with a nice, green HTTP 200 makes everyone happy. So basically, this is a show stopper for disabling TLS 1.0 for the moment.

https://kb.paessler.com/en/topic/63022-http-ssl-certificate-expiry-does-not-support-tls-1-1-or-1-2 - This is just over a year ago, and I say I'm proud of them for wanting to disable TLS 1.0 back then. It was improved like 10 years ago with TLS 1.1, now is the time we should all be working together to phase it out.

Paessler will be well served not to require devices to support this insecure transport in order to take advantage of all that is PRTG. I could write a story for any actor in this scenario, but the best ones should come from your CIO or security group.

http-sensor ssl tls