Hi,


We included TLS 1.1 and/or TLS 1.2 protocols in our application code, before the request to the API. As Ours is cloud based  , we have choose this way as suggested in https://success.outsystems.com/Support/Enterprise_Customers/Maintenance_and_Operations/(.NET)_Enable_SSL_Protocols_for_your_Integrations_-_TLS_1.1_and_TLS_1.2 


But our PEN test results still detecting the vulnerability and we are not sure how to detect this now.

We checked(3 times till now) each and every module for API calls and did the below :

1. For REST API , included TLS 1.1 and/or TLS 1.2 in  

OnBeforeRequest

2. For SOAP , we include TLS 1.1 and/or TLS 1.2 before each and every API call.

3. Even in .net extensions , we included before each and every API call.


But still PEN test results are still complaining.

I am not sure how to detect the issue now. 


Here are results :


HIGH

TLS Version 1.0 Protocol Detection (PCI DSS)

Description

The remote service accepts connections encrypted using TLS 1.0. This version of TLS is affected by multiple cryptographic flaws. An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.

Solution

All processing and third party entities - including Acquirers, Processors, Gateways and Service Providers must provide a TLS 1.1 or greater service offering by June 2016. All processing and third party entities must cutover to a secure version of TLS (as defined by NIST) effective June 2018.

Output

TLSv1 is enabled on port 443 and the server supports at least one cipher.


There must be some easy way. Please suggest.

Thank you

Hi lakshmi,

The article applies to on-premise installations.

You should contact OutSystems Support to address your issue.

Regards,

Nordin


Nordin Ahdi wrote:

Hi lakshmi,

The article applies to on-premise installations.

You should contact OutSystems Support to address your issue.

Regards,

Nordin


Thanks Nordin. Will contact Outsystems.