Disable TLS 1.0 with WHM and Cloudflare for Trustwave PCI Compliance
Last Updated September 22nd, 2020
Trustwave is a popular security service firm that offers PCI Compliance scans for local and online locations accepting credit cards. A client of mine needed changes made to their web server in order to help them pass the scan. The trouble started with trying to figure out how to disable TLS 1.0.
Even though they are automated, Trustwave scans can take some time to process and deliver results. It can be a painstaking process to make adjustments to your server, run a scan, wait to hear back, and then act again. To save time, you can check your site’s SSL/TLS status using the SSL Server Test from Qualys.
In the end, the big issue for my client-centered on disabling support for TLS 1.0 on their website. TLS 1.0 is the deprecated version of the Transport Layer Security cryptographic protocol.
I had to make changes in two places to finally pass the Trustwave PCI Compliance scan:
- Web Host Manager (WHM)
Web Host Manager TLS 1.0 Settings
You could spend all day doing research into what changes you have to make through WHM to disable TLS 1.0 but I found an incredibly useful guide at the RainingForks Tech Blog that got me through the process. I followed all of their steps, used the exact same TLS Cipher Suites, and got the scan to show TLS 1.0 had been disabled on most ports.
Warning: Using the TLS Cipher Suite recommendations from RainingForks can cause problems for applications like email. Some older email programs won’t work properly with TLS 1.0 shut off. My particular client was using a third-party email provider so this wasn’t a problem for them but your situation might be very different.
Cloudflare TLS Settings
For the web server port, I had to make one additional change using my client’s Cloudflare account. If you access the Crypto settings you will find a section called Require Modern TLS. Simply flip the switch from off to on and you’ll force Cloudflare to use TLS 1.2 or 1.3 for your site.
This was the last change I needed to fully disable TLS 1.0 and pass the Trustwave scan.
Still Stuck? Ask for Help
Hopefully, this post can get you headed in the right direction. It can take a lot of research followed by trial and error to disable TLS 1.0 on your own and as I warned above, this solution might cause extra problems you and your business can’t live with.
If you’re still running into problems it might be time to reach out for some assistance.
Many hosting providers offer their own PCI Compliance scans and reports and many are willing to make changes to your setup to help you pass a third-party scan like the one from Trustwave. These arrangements typically come with additional fees so contact your hosting company’s support technicians for details.
For any questions, or help in which direction to look for answers, please feel free to contact us.