TLS 1.0 now Fails PCI Compliance Scans

Because having TLS 1.0 available now causes automatic failures of most PCI Compliance Scans (http://security.stackexchange.com/questions/87071/pci-compliance-scan-failing-for-supporting-tls-1-0-but-removing-support-breaks), our Octopus Deploy setup has become enemy number 1 for our Security staff. Does anyone have any idea of when Octopus will be upgraded to .Net 4.5 and begin using TLS 1.2?

Hi,

We’d love to, but the trouble is that .NET 4.5 is an in-place, “almost but not totally backwards compatible” replacement for .NET 4.0 with breaking changes that affect some applications. If we upgraded to 4.5, our customers would be forced to install 4.5, but then applications they’ve built and deployed that are only tested for 4.0 would fail.

For that reason I don’t think we’ll be able to move beyond .NET 4.0 until .NET 5.0 (or some other side-by-side compatible version) is released. Until then, we’re stuck with TLS 1.0 for Tentacles (since TLS 1.1 and 1.2 were added in 4.5).

Some examples:

http://blog.discountasp.net/asp-net-4-5-incompatibilities/

After 3.0 ships we’ll reconsider this and try to get better metrics around how many of our users are stuck with 4.0 and whether we could go 4.5 only from Octopus 3.1.

Paul

That’s really unfortunate but I do understand where you’re coming from. I’m really surprised that other people aren’t reporting this as a significant issue. We can’t even get this approved as a temporary allowable exception if we can’t point to a target resolution date before June 30, 2016.

So, the only workaround that I can see is to switch that tentacle over to function as a polling tentacle rather than a listening tentacle until a resolution can be found. Are there any other potential workarounds that I should consider? What are other people doing to maintain their PCI compliance on Octopus deployed servers?

Hi there

We’re having a white paper written by a security researcher we’ve engaged which we’ll make available soon.

As I understand it, most PCI compliance is somewhat discretionary on the auditors.
The scans are the first step which highlight anomalies, these can then be discussed and mitigated if you have a knowledgeable auditor and you can maintain compliance. Our paper will cover this mitigation which should help. Some of the pertinent info though:

TLS 1.0 or 1.1 with weak ciphers removed is “as secure” as 1.2. 1.2 still has weak ciphers though so it’s a moving target. We can supply the registry entries to remove the weak ciphers.

How open to discussion are your auditors about the reality of MITM attacks inside your data center ? We’ve been having some discussions around this, and some auditors are happy to document mitigations, and others seem to be less open to it. I can certainly give you some talking points if it would help.

Regards

Damian

Hi Damian,

Can you share the link of security paper if it is out yet?

Thanks,
Ravi

Hi Ravi,

The paper is still in draft form unfortunately. But as of Octopus 3.1 you can now use TLS 1.2 so this thread is not relevant anymore.
I am going to close it out to stop any further confusion.

Vanessa

Hi,

We do have an official document now for distribution. You can email support at octopus.com to request it.

Vanessa