What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

How do you determine the protocol security ratings of the SSL Security Check sensor?

Votes:

0

I use several SSL Security Check sensors to monitor SSL/TLS connectivity to various devices and would like to know how you decide about rating an accepted protocol as weak or strong.

For example, why does the SSL Security Check sensor rate TLS 1.0 as weak and shows a Warning status if a connection with this protocol is possible?

lookups prtg sensor ssl ssl-security-check tls

Created on Oct 10, 2016 2:30:30 PM by Gerald Schoch [Paessler Support]

Last change on May 31, 2019 12:24:53 PM by Maike Guba [Paessler Support] (2,404) ●2 ●1

Permalink

1 Reply

Accepted Answer

Votes:

1

This article applies as of PRTG 22

Security ratings of the SSL Security Check sensor

The SSL Security Check sensor monitors SSL/TLS connectivity to the TCP/IP port of a device and shows which protocols are supported. If a supported protocol is considered to provide only weak security, the sensor shows the Warning status.

The sensor considers the security of TLS 1.1 to be strong (RFC 4346) and the security of TLS 1.2 to be perfect (RFC 5246). If the target device only supports these protocols, the sensor shows the Up status.

Protocols with weak security

The security of the following protocols is considered to be weak. For example, the National Institute of Standards and Technology (NIST) declares that “servers shall not support TLS 1.0, SSL 2.0, or SSL 3.0” (see the PDF Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations).

SSL 2.0 is deprecated by RFC 6176.
SSL 3.0 is deprecated by RFC 7568.
TLS 1.0 suffers from several vulnerabilities like CBC Chaining attacks and Padding Oracle attacks (see the OWASP Transport Layer Protection Cheat Sheet).

Because of this weak security, the SSL Security Check sensor shows the Warning status if the target device accepts the connection with at least one of these protocols. We strongly recommend that you update the encryption of your servers to TLS 1.1 or TLS 1.2 to secure your communication.

Note: As of PRTG 18.1.38, SSL 2.0 is no longer available in the SSL Security Check sensor.

Change TLS 1.0 security rating

The SSL Security Check sensor only checks supported protocols but does not consider the used ciphers. So, after a risk analysis, TLS 1.0 may still be considered to be secure in your environment. However, because of the known vulnerabilities, we have decided that the sensor must reflect this insecurity and show the Warning status for TLS 1.0 connections by default.

We understand that some customers do not want to get the Warning status for TLS 1.0, so we provide the option to use a compatibility lookup file. To set the sensor to the Up status for TLS 1.0, you need to change the used lookup files in two sensor channels.

Open the channel settings of the Security Rating channel and choose the lookup file prtg.standardlookups.sslsensor.security.compatibility.
Open the channel settings of the TLS 1.0 channel and choose the lookup file prtg.standardlookups.sslsensor.tls
Save the changes to both channels.

The sensor no longer shows the Warning status for TLS 1.0. Note that we do not recommend this workaround because of the well-known security vulnerabilities in TLS 1.0.

Add comment

Created on Oct 10, 2016 2:38:56 PM by Gerald Schoch [Paessler Support]

Last change on Jan 4, 2023 2:44:15 PM by Brandy Greger [Paessler Support]