Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

5001 port forwarding failed PCI compliance scan?

Discussion in '3CX Phone System - General' started by danieltan, Feb 1, 2018.

Tags:
Thread Status:
Not open for further replies.
  1. danieltan

    Joined:
    Dec 29, 2017
    Messages:
    6
    Likes Received:
    0
    I recently installed an on-premises 3CX server, and opened up port 5001. During a recent PCI compliance scan, our merchant account administrator failed our scan, because "A service supporting outdated versions of TLS or SSL was detected."

    Some background info. If a business processes customer credit card via the Internet, the merchant account service provider requires the business to be PCI compliant. When a business is PCI compliant, it means the customer credit card information is secure. Otherwise the merchant account provider will cease offering credit card processing to the business.

    The PCI scan report follows:
    -------------------------------------
    IP Address: 70.121.63.xxx (which is our public IP)
    Host: 70.121.63.xxx (which is our public IP)
    Path:

    THREAT REFERENCE

    Summary:
    Server supports TLS 1.0 protocol

    Risk: High (3)
    Port: 5001/tcp
    Protocol: tcp
    Threat ID: misc_tls_tls10

    Details: A service supporting outdated versions of TLS or SSL was detected. TLS 1.0 and SSLv3 are affected by known flaws which could allow
    man-in-the-middle attacks, such as
    BEAST and
    POODLE.

    Information From Target:
    Service: commplex-link
    Server accepted TLS 1.0 handshake with TLS_DHE_RSA_WITH_AES_128_CBC_SHA cipher
     
  2. eddv123

    eddv123 Well-Known Member

    Joined:
    Aug 15, 2017
    Messages:
    1,404
    Likes Received:
    186
    Funny you should mention this, I did see recently a post from one of the 3CX engineers on here (and I quote) :

    "3CX's SP2 update has an increased pack of security and had deprecated a bunch of SSL3 and TLS protocols / ciphers for PCI reasons"

    And a quick side note. If you are taking credit card details over the phone and wish to record phone calls and remain PCI Compliant, I highly recommend the Insperix bolt-on Application for 3CX:
    http://www.insperix.com/
     
  3. Brian Cross

    Brian Cross New Member

    Joined:
    Jul 26, 2017
    Messages:
    109
    Likes Received:
    27
    #3 Brian Cross, Feb 1, 2018
    Last edited: Feb 1, 2018
  4. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    7,341
    Likes Received:
    535
    Hello @danieltan

    Please note that we are planning to migrate from TLS 1.0, however not all of our supported phone manufacturers support higher versions. Once everyone releases a firmware update that supports the current version of TLS we will release an update disabling it from the web servers configuration.
     
    3cxoleg likes this.
  5. Brian Cross

    Brian Cross New Member

    Joined:
    Jul 26, 2017
    Messages:
    109
    Likes Received:
    27
    I always route the cc machines out on an IP address that has no port forwarding just for this reason.
     
Thread Status:
Not open for further replies.