PCI Scan failing with weak cipher. Disabled on server. Is it pfSense?

  • I apologize if this is a silly question but I don't really know what else to look for.

    SG-1000 running 2.4.0

    Our webserver is running behind the sg-1000. It's running Server2012R2 fully patched and is the only machine on the lan side of things.

    Using ssllabs scans, we have an A+ rating but have shown weak ciphers in the results (see attached) despite having them disabled in IISCrypto. (see attached) I set this aside for "fix later" as I wasn't sure why, as the server seemed to be set up correctly. However fix later became fix now when our last PCI scan failed flagging

    TLS_RSA_WITH_3DES_EDE_CBC_SHA as the culprit.

    Given that IISCrypto shows that TLS_RSA_WITH_3DES_EDE_CBC_SHA is disabled on the server, my only thought is that perhaps there is an issue with the sq-1000 (I don't even know if that's possible?)

    We have an SG-2440 with Hardware crypto enabled for our VPN, but the SG-1000 has no VPN enabled. There's no external access to the admin console, no ssh. I don't even have any goofy rules, just 80 & 443 publicly available and some source IP limited rules for RDP & SCP which neither scan engine should be able to see.

    Is it even possible that these scan engines could see weak ciphers on the sg-1000 (if they are even there?) If so, is there a way to disable them? Any other ideas?

    fwiw, I just updated to 2.4.2_1 and will run the scan again just in case but I wanted to ask the question while I wait for the results.

  • FWIW…applying the 4.2.2_1 update did not fix. Still failing.

  • Is the scan complaining about your pfSense instance or the web server behind it?  pfSense runs its own web server to give you a GUI.

  • Well that's the question. Neither scan says. just that weak ciphers are used…but they -should- be disabled on the server based on IISCrypto.

    But I also don't see how the scan could see the pfsense web gui and built in cert & ciphers if the admin isn't exposed to the WAN...

  • Well, what are you telling it to scan?  Your pfSense WAN IP?  A VIP forwarded to your IIS server?  A range if public IPs that you own?  Not enough detail!

  • It's a very simple setup. Just the sg-1000 and a single server behind it. Scans point to the domain which resolves to the WAN IP.

  • And are you forwarding port 80 or 443 traffic to the IIS server?

  • yes. Mentioned in OP.

    Although 80 is redirected to 443 via URLRewrite and site is HSTS.

    As noted, the server should have the weak ciphers disabled by and reported by IISCrypto.

  • Just checking :
    Shut down the server on LAN.
    Redo the test.
    Results are the same ? or absent ?

  • LAYER 8 Global Moderator

    if your forwarding to your server and that is working, how exactly do you think you could be hitting the webgui that you do not have exposed even in your rules?

  • Well I don't think that it -is- possible, or shouldn't be unless I've got some misconfiguration.

    But as noted, it's a super simple setup with just 2 public facing rules and 3 IP restricted rules.

    Unfortunately, I can't run either the SSLLabs scan or the PCI scan with the server unplugged as they both expect webserver responses.

    I guess I'm going to dig into the registry in case IIScrypto is reporting incorrectly

  • Why not change the webgui to an alternate port?

  • The webGUI is only available on the LAN side. Scans on WAN shouldn't see it at all.

    FWIW…I am fairly sure this is a server misconfig....but I wanted to cover all the bases.

  • LAYER 8 Global Moderator

    So I opened up pfsense webgui so I could scan it with same sslscanner.. I had already scanned it from the local side for what ciphers were offered, etc.  Neither scanner doesn't even show that those ciphers you listed are offered..

    using testssl.sh script https://github.com/drwetter/testssl.sh
    Testing server preferences

    Has server cipher order?    yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
    Cipher order
                  ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA

    Your problem is your server not webgui pfsense.

    Looking at the code that creates the nginx conf those weak ciphers are not listed either

    $nginx_config .= "\t\tssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";\n";
    $nginx_config .= "\t\tssl_prefer_server_ciphers      on;\n";

  • The webGUI is only available on the LAN side. Scans on WAN shouldn't see it at all.

    IIRC, WebGUI will be accessible from WAN if you make the mistake of having WebGUI listen on a port that you're trying to forward.  You said earlier that you are forwarding both 80 and 443.  Do you have WebGUI set t listen on a different port than those?

  • Thanks for doing that JohnPoz.

    This is the answer I expected but I wanted to cover all the bases.

    The issue is obviously something between what IISCrypto is showing and what the server is actually using.

Log in to reply