PCI Scan failing with weak cipher. Disabled on server. Is it pfSense?
-
Is the scan complaining about your pfSense instance or the web server behind it? pfSense runs its own web server to give you a GUI.
-
Well that's the question. Neither scan says. just that weak ciphers are used…but they -should- be disabled on the server based on IISCrypto.
But I also don't see how the scan could see the pfsense web gui and built in cert & ciphers if the admin isn't exposed to the WAN...
-
Well, what are you telling it to scan? Your pfSense WAN IP? A VIP forwarded to your IIS server? A range if public IPs that you own? Not enough detail!
-
It's a very simple setup. Just the sg-1000 and a single server behind it. Scans point to the domain which resolves to the WAN IP.
-
And are you forwarding port 80 or 443 traffic to the IIS server?
-
yes. Mentioned in OP.
Although 80 is redirected to 443 via URLRewrite and site is HSTS.
As noted, the server should have the weak ciphers disabled by and reported by IISCrypto.
-
Just checking :
Shut down the server on LAN.
Redo the test.
Results are the same ? or absent ? -
if your forwarding to your server and that is working, how exactly do you think you could be hitting the webgui that you do not have exposed even in your rules?
-
Well I don't think that it -is- possible, or shouldn't be unless I've got some misconfiguration.
But as noted, it's a super simple setup with just 2 public facing rules and 3 IP restricted rules.
Unfortunately, I can't run either the SSLLabs scan or the PCI scan with the server unplugged as they both expect webserver responses.
I guess I'm going to dig into the registry in case IIScrypto is reporting incorrectly
-
Why not change the webgui to an alternate port?
-
The webGUI is only available on the LAN side. Scans on WAN shouldn't see it at all.
FWIW…I am fairly sure this is a server misconfig....but I wanted to cover all the bases.
-
So I opened up pfsense webgui so I could scan it with same sslscanner.. I had already scanned it from the local side for what ciphers were offered, etc. Neither scanner doesn't even show that those ciphers you listed are offered..
using testssl.sh script https://github.com/drwetter/testssl.sh
Testing server preferencesHas server cipher order? yes (OK)
Negotiated protocol TLSv1.2
Negotiated cipher ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Cipher order
TLSv1.1: ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA
TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHAYour problem is your server not webgui pfsense.
Looking at the code that creates the nginx conf those weak ciphers are not listed either
https://github.com/pfsense/pfsense/blob/master/src/etc/inc/system.inc#L1499
$nginx_config .= "\t\tssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";\n";
$nginx_config .= "\t\tssl_prefer_server_ciphers on;\n";
-
The webGUI is only available on the LAN side. Scans on WAN shouldn't see it at all.
IIRC, WebGUI will be accessible from WAN if you make the mistake of having WebGUI listen on a port that you're trying to forward. You said earlier that you are forwarding both 80 and 443. Do you have WebGUI set t listen on a different port than those?
-
Thanks for doing that JohnPoz.
This is the answer I expected but I wanted to cover all the bases.
The issue is obviously something between what IISCrypto is showing and what the server is actually using.
