If you have set that I would expect no issue since the server would reject any unauthenticated requests.

I got rid of some multiples in CURL and Strongswan by installing and uninstalling the package NUT again. NUT had some left over files from the last pfSense version.

Screenshot 2023-05-23 at 7.23.13 AM.png

@stepinsky you would need to edit the subject (ie your first post) then you can edit that and add a tag of solved, etc.

@stepinsky said in OpenSSL vulnerabiltiy: pfSense affected?:

I cannot judge the relavance of the vulnerability for pfSense users.

That is the big question for sure.. The analysis is still underway at nist

https://nvd.nist.gov/vuln/detail/CVE-2021-3712
This vulnerability is currently awaiting analysis.

The key really being
"If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit."

Would that be something that could be done with how and when pfsense uses openssl? And it seems there is a patch for freebsd
https://www.freebsd.org/security/advisories/FreeBSD-SA-21:16.openssl.asc

So when netgate/pfsense feels its prudent sure they will make it available.

edit: Well this openssl thing was in one of the many newsletters I get ;) In one today.. Doesn't seem like it is too much of a concern to be honest.

Here is the article if interested
https://nakedsecurity.sophos.com/2021/08/27/big-bad-decryption-bug-in-openssl-but-no-cause-for-alarm/

Internal scan is only if your service provider... And you sure and the hell do not need to make the web gui of pfsense available on the networks that are involved in the PCI..

For example - we are service provider, we host stuff that is PCI for customers... We don't need to scan the management vlan, only need to scan the networks that are directly involved in the processing of the payments..

We are not scanning every single network in the company... You only need to scan the network related to your pci environment.. If your switches and or routers and firewall interfaces are available on your pci networks - your doing it wrong!