I'm trying to secure my infrastructure to meet the PCI-DSS standard using securitymetrics.com. The standard mandates the use of TLS 1.1 minimum (with a CBC cipher). TLS 1.0 is not allowed.
While securing ftp (vsftpd), I have disabled sslv2 and sslv3, but couldn't block TLS 1.0 without also disabling TLS 1.1 and TLS 1.2. The config file has the ssl_tlsv1
option that can be set to YES or NO, but I don't see any way to distinguish between 1.0 and later versions.
How can I enable only TLS 1.1 and better?
Best Answer
Answer isn't posted, so I thought I'd follow up for the rest...
To disable TLSv1.0 and enable TLSv1.1 and TLSv1.2 just add these two lines and change the third:
Note that these options are only available with a patched version of
vsftpd
, and seems to be only installed on CentOS, and specifically not on Ubuntu. Other distributions may have the patched version as well.