Hi Team,

Due to Security Audit, we have to Disable TLS V1.0 / 1.0 Connection in CAPAM, Please help to explain any impact if we implement this in our CAPAM.

Release : 3.4, 4.x

Component: CA Privileged Access Manager (PAM)

1. Due to the vulnerabilities in TLS versions 1.0 & 1.1, they are not preferred during socket creation or in any type of connection. 

2. During any inbound connections(in the case of A2A and Windows Proxy), if we find any version mismatch for TLS, then in code, we look out for another version of TLS(lower one - 1.2 -> 1.1 or 1.0). So if TLSv1.0/1.1 is disabled, the connection will fail.

3. If any old browser supports TLS 1.0 & 1.1, after disabling TLSv10v11, you'll not be login into the PAM instance itself, because of HTTPS handshake failure. Below message will be displayed in that case:

This page can’t be displayed.
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://PAM_SERVER_IP again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.

4. If you have any devices that are making use of TLS 1.0 and 1.1, you would no longer be able to make connections to these devices.

5. Password rotation of the devices that make use of only TLS 1.0 and 1.1 will as well fail even if you are attempting to change the password using scheduled jobs.

6. Connection from CA PAM client will continue to work without any problem.