AnsweredAssumed Answered

'A+' should require TLS 1.0 be disabled (no longer viable for PCI compliance)

Question asked by Dave Garrett on Mar 20, 2015
Latest reply on Sep 13, 2015 by RayPesek

TLS 1.0 needs to be phased out at some point. Due to recent NIST re-scoring, it looks like TLS 1.0 is no longer PCI compliant as there are no longer any viable ciphers for it without RC4. See discussion after the change, here:

Issue 375342 - chromium - Drop RC4 Support - An open-source project to help move the web forward. - Google Project Ho…

 

TLS 1.0 is still generally considered acceptable, but support for it should probably limit servers to an 'A' rating. Doing so for TLS 1.1 is probably also be warranted (not that much of anything negotiates it).

Outcomes