This article applies as of PRTG 22
How does PRTG decide if an accepted protocol is rated weak or strong in the SSL Security Check sensor to monitor SSL/TLS connectivity? For example, why does it consider TLS 1.0 weak and issue a Warning status?
Security ratings of the SSL Security Check sensor
The SSL Security Check sensor monitors SSL/TLS connectivity to the TCP/IP port of a device and shows which protocols are supported. If a supported protocol is considered to provide only weak security, the sensor shows the Warning status.
The sensor considers the security of TLS 1.1 to be strong (RFC 4346) and the security of TLS 1.2 to be perfect (RFC 5246). If the target device only supports these protocols, the sensor shows the Up status.
Protocols with weak security
The security of the following protocols is considered to be weak. For example, the National Institute of Standards and Technology (NIST) declares that “servers shall not support TLS 1.0, SSL 2.0, or SSL 3.0” (see the PDF Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations).
- SSL 2.0 is deprecated by RFC 6176.
- SSL 3.0 is deprecated by RFC 7568.
- TLS 1.0 suffers from several vulnerabilities like CBC Chaining attacks and Padding Oracle attacks (see the OWASP Transport Layer Protection Cheat Sheet).
Because of this weak security, the SSL Security Check sensor shows the Warning status if the target device accepts the connection with at least one of these protocols. We strongly recommend that you update the encryption of your servers to TLS 1.1 or TLS 1.2 to secure your communication.
Note: As of PRTG 18.1.38, SSL 2.0 is no longer available in the SSL Security Check sensor.
Change TLS 1.0 security rating
The SSL Security Check sensor only checks supported protocols but does not consider the used ciphers. So, after a risk analysis, TLS 1.0 may still be considered to be secure in your environment. However, because of the known vulnerabilities, we have decided that the sensor must reflect this insecurity and show the Warning status for TLS 1.0 connections by default.
We understand that some customers do not want to get the Warning status for TLS 1.0, so we provide the option to use a compatibility lookup file. To set the sensor to the Up status for TLS 1.0, you need to change the used lookup files in two sensor channels.
- Open the channel settings of the Security Rating channel and choose the lookup file prtg.standardlookups.sslsensor.security.compatibility.
- Open the channel settings of the TLS 1.0 channel and choose the lookup file prtg.standardlookups.sslsensor.tls
- Save the changes to both channels.
The sensor no longer shows the Warning status for TLS 1.0. Note that we do not recommend this workaround because of the well-known security vulnerabilities in TLS 1.0.
Disclaimer:
The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.
