Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PCI Scan failing with weak cipher. Disabled on server. Is it pfSense?

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 5 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JayB
      last edited by

      I apologize if this is a silly question but I don't really know what else to look for.

      SG-1000 running 2.4.0

      Our webserver is running behind the sg-1000. It's running Server2012R2 fully patched and is the only machine on the lan side of things.

      Using ssllabs scans, we have an A+ rating but have shown weak ciphers in the results (see attached) despite having them disabled in IISCrypto. (see attached) I set this aside for "fix later" as I wasn't sure why, as the server seemed to be set up correctly. However fix later became fix now when our last PCI scan failed flagging

      TLS_RSA_WITH_3DES_EDE_CBC_SHA as the culprit.

      Given that IISCrypto shows that TLS_RSA_WITH_3DES_EDE_CBC_SHA is disabled on the server, my only thought is that perhaps there is an issue with the sq-1000 (I don't even know if that's possible?)

      We have an SG-2440 with Hardware crypto enabled for our VPN, but the SG-1000 has no VPN enabled. There's no external access to the admin console, no ssh. I don't even have any goofy rules, just 80 & 443 publicly available and some source IP limited rules for RDP & SCP which neither scan engine should be able to see.

      Is it even possible that these scan engines could see weak ciphers on the sg-1000 (if they are even there?) If so, is there a way to disable them? Any other ideas?

      fwiw, I just updated to 2.4.2_1 and will run the scan again just in case but I wanted to ask the question while I wait for the results.

      Capture2.JPG
      Capture2.JPG_thumb
      Capture.JPG
      Capture.JPG_thumb

      1 Reply Last reply Reply Quote 0
      • J
        JayB
        last edited by

        FWIW…applying the 4.2.2_1 update did not fix. Still failing.

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          Is the scan complaining about your pfSense instance or the web server behind it?  pfSense runs its own web server to give you a GUI.

          1 Reply Last reply Reply Quote 0
          • J
            JayB
            last edited by

            Well that's the question. Neither scan says. just that weak ciphers are used…but they -should- be disabled on the server based on IISCrypto.

            But I also don't see how the scan could see the pfsense web gui and built in cert & ciphers if the admin isn't exposed to the WAN...

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              Well, what are you telling it to scan?  Your pfSense WAN IP?  A VIP forwarded to your IIS server?  A range if public IPs that you own?  Not enough detail!

              1 Reply Last reply Reply Quote 0
              • J
                JayB
                last edited by

                It's a very simple setup. Just the sg-1000 and a single server behind it. Scans point to the domain which resolves to the WAN IP.

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  And are you forwarding port 80 or 443 traffic to the IIS server?

                  1 Reply Last reply Reply Quote 0
                  • J
                    JayB
                    last edited by

                    yes. Mentioned in OP.

                    Although 80 is redirected to 443 via URLRewrite and site is HSTS.

                    As noted, the server should have the weak ciphers disabled by and reported by IISCrypto.

                    1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan
                      last edited by

                      Just checking :
                      Shut down the server on LAN.
                      Redo the test.
                      Results are the same ? or absent ?

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        if your forwarding to your server and that is working, how exactly do you think you could be hitting the webgui that you do not have exposed even in your rules?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • J
                          JayB
                          last edited by

                          Well I don't think that it -is- possible, or shouldn't be unless I've got some misconfiguration.

                          But as noted, it's a super simple setup with just 2 public facing rules and 3 IP restricted rules.

                          Unfortunately, I can't run either the SSLLabs scan or the PCI scan with the server unplugged as they both expect webserver responses.

                          I guess I'm going to dig into the registry in case IIScrypto is reporting incorrectly

                          1 Reply Last reply Reply Quote 0
                          • dotdashD
                            dotdash
                            last edited by

                            Why not change the webgui to an alternate port?

                            1 Reply Last reply Reply Quote 0
                            • J
                              JayB
                              last edited by

                              The webGUI is only available on the LAN side. Scans on WAN shouldn't see it at all.

                              FWIW…I am fairly sure this is a server misconfig....but I wanted to cover all the bases.

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                So I opened up pfsense webgui so I could scan it with same sslscanner.. I had already scanned it from the local side for what ciphers were offered, etc.  Neither scanner doesn't even show that those ciphers you listed are offered..

                                using testssl.sh script https://github.com/drwetter/testssl.sh
                                Testing server preferences

                                Has server cipher order?    yes (OK)
                                Negotiated protocol          TLSv1.2
                                Negotiated cipher            ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
                                Cipher order
                                    TLSv1.1:  ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA
                                    TLSv1.2:  ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384
                                              ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA

                                Your problem is your server not webgui pfsense.

                                Looking at the code that creates the nginx conf those weak ciphers are not listed either

                                https://github.com/pfsense/pfsense/blob/master/src/etc/inc/system.inc#L1499
                                $nginx_config .= "\t\tssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";\n";
                                $nginx_config .= "\t\tssl_prefer_server_ciphers      on;\n";

                                ciphersoffered.png
                                ciphersoffered.png_thumb

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • KOMK
                                  KOM
                                  last edited by

                                  The webGUI is only available on the LAN side. Scans on WAN shouldn't see it at all.

                                  IIRC, WebGUI will be accessible from WAN if you make the mistake of having WebGUI listen on a port that you're trying to forward.  You said earlier that you are forwarding both 80 and 443.  Do you have WebGUI set t listen on a different port than those?

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    JayB
                                    last edited by

                                    Thanks for doing that JohnPoz.

                                    This is the answer I expected but I wanted to cover all the bases.

                                    The issue is obviously something between what IISCrypto is showing and what the server is actually using.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.