Pfblockerng false positive vulnerabilities?
-
Hey Guys,
So I freaking love pfblockerng and I'm just getting into some vulnerability scanning and my openvas 9 shows these two vulnerabilities with the following:
SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability
SSL/TLS:Certificate Signed Using a Weak Signature AlgorithmSo like I said I'm a noob at security and was wondering if this is acutlly a thing or a false positive or something.
Thanks Guys!
And thanks for pfblockerng bbcan!!
-
Thanks!
I don't think anyone can offer any advice with the limited info in your email. Can you add some more detail about this assessment etc. It seems that your webserver or app is weak in its TLS settings. Not sure if that's related to pfSense tho…
-
Thanks for your reply!
I can definitely provide more info. I've attached a screenshot of both of the Openvas reports, hopefully this info helps.
Thanks!
-
Domains that are listed in DNSBL will be redirected to the DNSBL VIP address. The browser will attempt to load the DNSBL index.php file which for HTTP sites will load the index.php and that will load the 1x1 pix to terminate the browser request. The widget and logs are also updated accordingly.
However, for HTTPS requests, the browser will attempt to connect to the DNSBL Lighttpd web server and see that the DNSBL certificate does not match the domain name being requested, so it will terminate the connection. This process will ensure that the browser requests is terminated, otherwise the browser will timeout waiting to load the blocked domain being requested.
The vulnerability screenshots you show can be safely ignored.
-
Awesome thanks for the very detailed and easy to understand explanation!
Keep up the good work!!
