TLS 1.0 support issues

divsys

The various  PCI scanners out there, will look for open ports and try to connect with some of the more common protocols looking for potentially "problematic" setups.

They are not particularly accurate or even that useful IMHO.
For instance you can easily turn on WAN logging of everything, run the scanner and determine the address they're scanning you from.
Set a rule to block them and <poof>you pass your scan.

Unfortunately, if you have an actual attack from someone else and the PCI folks get wind of your block, it might not end well…..

All that said you can try and force OpenVPN to TLS 1.1 with "tls-version-min 1.1" added to your OpenVPN server.
Easy enough to try and see if that resolves the scanner's issue.

Don't know if the pfSense GUI will allow a request for TLS 1.0 though.
Do you have the GUI available on the WAN port?</poof>

viragomann

@divsys:

The various  PCI scanners out there, will look for open ports and try to connect with some of the more common protocols looking for potentially "problematic" setups.

So TLS 1.0 could also be used at any host behind pfSense which gets ports forwarded.

@Benconnected:

We have a VPN set up between two locations using OpenSSL, both running PFSense v2.2.6. So I'm assuming it has to do with OpenSSL.

So if it is a site to site vpn adjust your firewall rule to allow only the partners IP address to access vpn server.

johnpoz

All good stuff, I am very curious to what exactly he is scanning… Since when you scan openvpn server on 443... It doesn't show that its running anything with normal ssl/tls scanners.

divsys

PCI scanners are not something you have control over in the typical sense.

They're a service you call upon to verify that your site is PCI compliant.
Typically you give them your WEB facing FQDN and let them go.
They "attack" your site, by trying various "holes" that they know about and give you a report at the end of it all.

They may very well try bogus connections to 443, attempt scripts that enable TLS 1.0, etc.
You don't know what they're going to try (it's always changing), just what the results are.

johnpoz

Well you can setup openvpn to use 1.2..  with simple advanced command, someone mentioned 1.1, but 1.2 is good with any openvpn client above like 2.3.3 I think.. Current is 2.3.10

You can see here I connected with 1.2
Fri Mar 04 11:06:49 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

tls-version-min 1.2

cmb

@johnpoz:

Well you can setup openvpn to use 1.2..  with simple advanced command, someone mentioned 1.1, but 1.2 is good with any openvpn client above like 2.3.3 I think.. Current is 2.3.10

Yeah that'll do it.

But I'm guessing it's not likely OpenVPN that the scanner found. The most common OpenVPN configurations aren't able to be scanned in that manner to know what they support. Could be the web interface, in which case it shouldn't be open to the Internet. Could be something that's on a server behind the firewall that's opened up.

johnpoz

Yeah I don't think its openvpn as well, since no scanners I try see it as valid tls/ssl, etc.  Not sure what he is doing with openssl??  Maybe language issue?

Benconnected

Update -

It was just scanning the web interface, nothing to do with VPN, so this topic probably belongs in the webGUI forum instead. I disabled webGUI access from the WAN and it passed. I'm still interested in how we could disable TLS 1.0 support for the webGUI.

johnpoz

Why did you bring up openssl?

But you can edit what ciphers are presented

/etc/inc/system.inc

so you could edit this line

$lighty_config .= "ssl.cipher-list = \"AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS\"\n";

To say something like

$lighty_config .= "ssl.cipher-list = \"TLSv1.2:!aNULL:!eNULL:!DSS\"\n";

restart your webconfigurator

And then run a sslscan and you see rejected for all your 1 if using the old 1.8 version on linux that doesn't support 1.1 and 1.2, can not seem to find real quick version of current 1.11 version for linux install so attached you will see scan of my pfsense box only accepting tls 1.2

Then the scan before that showing accepting 1.0 and 1.1

But I really would not suggest you leave your pfsense web gui open to the public internet ever!!!

Keep in mind any update to pfsense is most likely going to over write this setting..

cmb

I disabled TLSv1.0 for the web interface in future versions. There aren't any known weaknesses in TLSv1.0 with the strong config we use (A+ on ssllabs.com with TLSv1.0 enabled), but that doesn't really pose significant compatibility complications at this point.
https://redmine.pfsense.org/issues/5984

The change johnpoz noted will accomplish that for 2.2.x and earlier releases. Frankly I wouldn't bother, that's not a PCI failure yet and has no security impact at this time. Where you had any management interface open to the Internet, that's a good indication that you have real security problems elsewhere to fix.

2chemlud

@johnpoz:

Well you can setup openvpn to use 1.2..  with simple advanced command, someone mentioned 1.1, but 1.2 is good with any openvpn client above like 2.3.3 I think.. Current is 2.3.10

You can see here I connected with 1.2
Fri Mar 04 11:06:49 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

tls-version-min 1.2

May I ask which pfSense log does provide the info on the TLS version employed for openVPN connects? Slightly OT, I know, but… :-)

johnpoz

Its in the system log / openvpn you can see I just connected with 1.2

Apr 7 14:20:17 openvpn 43383 xxx.xxx.237.38:51182 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA