Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disable SSL3 in web gui interface

    webGUI
    3
    4
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      klonet
      last edited by

      Hello,
      I've pfsense 2.3.2-RELEASE (amd64).

      can I disable ssl3 and leaving only tls 1.1 / 1.2 in web gui interface?

      Thanks

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        No need to, that's default.

        https://github.com/pfsense/pfsense/blob/RELENG_2_3_2/src/etc/inc/system.inc#L1340

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Just checked to my pfsense box.. Don't see any ssl3 ;)

          
user@ubuntu:~$ nmap --script ssl-enum-ciphers -p 443 pfsense.local.lan

Starting Nmap 6.40 ( http://nmap.org ) at 2016-12-09 14:15 CST
Nmap scan report for pfsense.local.lan (192.168.9.253)
Host is up (0.0018s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds
user@ubuntu:~$

          different kind of check

          
user@ubuntu:~$ openssl s_client -connect pfsense.local.lan:443 -ssl3
CONNECTED(00000003)
140394176988832:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:599:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1481314641
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
user@ubuntu:~$

          Not connection via ssl3

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • K
            klonet
            last edited by

            I'm stupid :D

            The problem is on port 3000 (Ntopng)  :D
            Thanks a lot
            Stefano

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.