TLS 1.0 support issues
-
Our PCI compliance scan is failing because our PFSense routers support TLS 1.0. Is it possible to disable 1.0 and use just 1.1 and 1.2? We have a VPN set up between two locations using OpenSSL, both running PFSense v2.2.6. So I'm assuming it has to do with OpenSSL.
-
what exactly are you scanning?? I am connected to the pfsense webgui and its TLS 1.2
Did you mean openvpn for your site to site vpn… How exactly did you create a vpn with openssl? And where would you be scanning that from?
-
The various PCI scanners out there, will look for open ports and try to connect with some of the more common protocols looking for potentially "problematic" setups.
They are not particularly accurate or even that useful IMHO.
For instance you can easily turn on WAN logging of everything, run the scanner and determine the address they're scanning you from.
Set a rule to block them and <poof>you pass your scan.Unfortunately, if you have an actual attack from someone else and the PCI folks get wind of your block, it might not end well…..
All that said you can try and force OpenVPN to TLS 1.1 with "tls-version-min 1.1" added to your OpenVPN server.
Easy enough to try and see if that resolves the scanner's issue.Don't know if the pfSense GUI will allow a request for TLS 1.0 though.
Do you have the GUI available on the WAN port?</poof> -
The various PCI scanners out there, will look for open ports and try to connect with some of the more common protocols looking for potentially "problematic" setups.
So TLS 1.0 could also be used at any host behind pfSense which gets ports forwarded.
We have a VPN set up between two locations using OpenSSL, both running PFSense v2.2.6. So I'm assuming it has to do with OpenSSL.
So if it is a site to site vpn adjust your firewall rule to allow only the partners IP address to access vpn server.
-
All good stuff, I am very curious to what exactly he is scanning… Since when you scan openvpn server on 443... It doesn't show that its running anything with normal ssl/tls scanners.
-
PCI scanners are not something you have control over in the typical sense.
They're a service you call upon to verify that your site is PCI compliant.
Typically you give them your WEB facing FQDN and let them go.
They "attack" your site, by trying various "holes" that they know about and give you a report at the end of it all.They may very well try bogus connections to 443, attempt scripts that enable TLS 1.0, etc.
You don't know what they're going to try (it's always changing), just what the results are. -
Well you can setup openvpn to use 1.2.. with simple advanced command, someone mentioned 1.1, but 1.2 is good with any openvpn client above like 2.3.3 I think.. Current is 2.3.10
You can see here I connected with 1.2
Fri Mar 04 11:06:49 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSAtls-version-min 1.2
-
Well you can setup openvpn to use 1.2.. with simple advanced command, someone mentioned 1.1, but 1.2 is good with any openvpn client above like 2.3.3 I think.. Current is 2.3.10
Yeah that'll do it.
But I'm guessing it's not likely OpenVPN that the scanner found. The most common OpenVPN configurations aren't able to be scanned in that manner to know what they support. Could be the web interface, in which case it shouldn't be open to the Internet. Could be something that's on a server behind the firewall that's opened up.
-
Yeah I don't think its openvpn as well, since no scanners I try see it as valid tls/ssl, etc. Not sure what he is doing with openssl?? Maybe language issue?
-
Update -
It was just scanning the web interface, nothing to do with VPN, so this topic probably belongs in the webGUI forum instead. I disabled webGUI access from the WAN and it passed. I'm still interested in how we could disable TLS 1.0 support for the webGUI.
-
Why did you bring up openssl?
But you can edit what ciphers are presented
/etc/inc/system.inc
so you could edit this line
$lighty_config .= "ssl.cipher-list = \"AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS\"\n";To say something like
$lighty_config .= "ssl.cipher-list = \"TLSv1.2:!aNULL:!eNULL:!DSS\"\n";restart your webconfigurator
And then run a sslscan and you see rejected for all your 1 if using the old 1.8 version on linux that doesn't support 1.1 and 1.2, can not seem to find real quick version of current 1.11 version for linux install so attached you will see scan of my pfsense box only accepting tls 1.2
Then the scan before that showing accepting 1.0 and 1.1
But I really would not suggest you leave your pfsense web gui open to the public internet ever!!!
Keep in mind any update to pfsense is most likely going to over write this setting..
-
I disabled TLSv1.0 for the web interface in future versions. There aren't any known weaknesses in TLSv1.0 with the strong config we use (A+ on ssllabs.com with TLSv1.0 enabled), but that doesn't really pose significant compatibility complications at this point.
https://redmine.pfsense.org/issues/5984The change johnpoz noted will accomplish that for 2.2.x and earlier releases. Frankly I wouldn't bother, that's not a PCI failure yet and has no security impact at this time. Where you had any management interface open to the Internet, that's a good indication that you have real security problems elsewhere to fix.
-
Well you can setup openvpn to use 1.2.. with simple advanced command, someone mentioned 1.1, but 1.2 is good with any openvpn client above like 2.3.3 I think.. Current is 2.3.10
You can see here I connected with 1.2
Fri Mar 04 11:06:49 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSAtls-version-min 1.2
May I ask which pfSense log does provide the info on the TLS version employed for openVPN connects? Slightly OT, I know, but… :-)
-
Its in the system log / openvpn you can see I just connected with 1.2
Apr 7 14:20:17 openvpn 43383 xxx.xxx.237.38:51182 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
