SSL and TLS 1.0 No Longer Acceptable for PCI Compliance | Varonis Blog - The Metadata Era
vendredi 2 octobre 2015 à 11:53GuiGui's Show - Liens
« [...] the PCI Council released version 3.1 of their Data Security Standard (DSS). While most of the changes in this minor release are clarifications, there is at least one significant update involving secure communication protocols. The Council has decided that SSL and TLS 1.0 can no longer be used after June 30, 2016.
The PCI Council says you must remove completely support for SSL 3.0 and TLS 1.0. In short: servers and clients should disable SSL and then preferably transition everything to TLS 1.2.
However, TLS 1.1 can be acceptable if configured properly. The Council points to a NISTpublication that tells you how to do this configuration. »
Attention donc quand vous lisez que PCi-DSS force le passage à TLS 1.2, rien n'est plus faux : c'est de la documentation pour bullshiteux donc on ne force pas, on laisse le temps de migrer les infras qui devraient pourtant déjà avoir migrées. ;)
(Permalink)
« [...] the PCI Council released version 3.1 of their Data Security Standard (DSS). While most of the changes in this minor release are clarifications, there is at least one significant update involving secure communication protocols. The Council has decided that SSL and TLS 1.0 can no longer be used after June 30, 2016.
The PCI Council says you must remove completely support for SSL 3.0 and TLS 1.0. In short: servers and clients should disable SSL and then preferably transition everything to TLS 1.2.
However, TLS 1.1 can be acceptable if configured properly. The Council points to a NISTpublication that tells you how to do this configuration. »
Attention donc quand vous lisez que PCi-DSS force le passage à TLS 1.2, rien n'est plus faux : c'est de la documentation pour bullshiteux donc on ne force pas, on laisse le temps de migrer les infras qui devraient pourtant déjà avoir migrées. ;)
(Permalink)