Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Pfblockerng false positive vulnerabilities?

    pfBlockerNG
    2
    5
    908
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User last edited by

      Hey Guys,

      So I freaking love pfblockerng and I'm just getting into some vulnerability scanning and my openvas 9 shows these two vulnerabilities with the following:

      SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability
      SSL/TLS:Certificate Signed Using a Weak Signature Algorithm

      So like I said I'm a noob at security and was wondering if this is acutlly a thing or a false positive or something.

      Thanks Guys!

      And thanks for pfblockerng bbcan!!

      1 Reply Last reply Reply Quote 0
      • BBcan177
        BBcan177 Moderator last edited by

        Thanks!

        I don't think anyone can offer any advice with the limited info in your email. Can you add some more detail about this assessment etc. It seems that your webserver or app is weak in its TLS settings. Not sure if that's related to pfSense tho…

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User last edited by

          Thanks for your reply!

          I can definitely provide more info.  I've attached a screenshot of both of the Openvas reports, hopefully this info helps.

          Thanks!




          1 Reply Last reply Reply Quote 0
          • BBcan177
            BBcan177 Moderator last edited by

            Domains that are listed in DNSBL will be redirected to the DNSBL VIP address. The browser will attempt to load the DNSBL index.php file which for HTTP sites will load the index.php and that will load the 1x1 pix to terminate the browser request. The widget and logs are also updated accordingly.

            However, for HTTPS requests, the browser will attempt to connect to the DNSBL Lighttpd web server and see that the DNSBL certificate does not match the domain name being requested, so it will terminate the connection. This process will ensure that the browser requests is terminated, otherwise the browser will timeout waiting to load the blocked domain being requested.

            The vulnerability screenshots you show can be safely ignored.

            1 Reply Last reply Reply Quote 0
            • ?
              A Former User last edited by

              Awesome thanks for the very detailed and easy to understand explanation!

              Keep up the good work!!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy