Disable SSL3 in web gui interface



  • Hello,
    I've pfsense 2.3.2-RELEASE (amd64).

    can I disable ssl3 and leaving only tls 1.1 / 1.2 in web gui interface?

    Thanks


  • Banned


  • Rebel Alliance Global Moderator

    Just checked to my pfsense box.. Don't see any ssl3 ;)

    
    user@ubuntu:~$ nmap --script ssl-enum-ciphers -p 443 pfsense.local.lan
    
    Starting Nmap 6.40 ( http://nmap.org ) at 2016-12-09 14:15 CST
    Nmap scan report for pfsense.local.lan (192.168.9.253)
    Host is up (0.0018s latency).
    PORT    STATE SERVICE
    443/tcp open  https
    | ssl-enum-ciphers:
    |   TLSv1.1:
    |     ciphers:
    |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
    |     compressors:
    |       NULL
    |   TLSv1.2:
    |     ciphers:
    |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
    |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
    |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
    |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
    |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
    |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
    |     compressors:
    |       NULL
    |_  least strength: strong
    
    Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds
    user@ubuntu:~$
    
    

    different kind of check

    
    user@ubuntu:~$ openssl s_client -connect pfsense.local.lan:443 -ssl3
    CONNECTED(00000003)
    140394176988832:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:599:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 0 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : SSLv3
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1481314641
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
    ---
    user@ubuntu:~$
    
    

    Not connection via ssl3



  • I'm stupid :D

    The problem is on port 3000 (Ntopng)  :D
    Thanks a lot
    Stefano