Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Ryan Coleman]

First off you’d upgrade the installation of pfSense - what version do you have 
installed/running? The current version is 2.2.3.


> On Jul 24, 2015, at 3:51 PM, Ted Byers  wrote:
> 
> I have checked our installation of our website (a classic protected LAN
> with a DMZ formed by two pfsense machines serving as our inner and outer
> firewall, and one machine in the DMZ and the rest behind the inner
> firewall) using a PCI scanner.
> 
> The PCI scan identified two vulnerabilities WRT our pfsense machines.
> 
> First, the scanner complains that TLS1 is supported and we need to restrict
> it to TLS1.2.  We modified the configuration of lighttpd to use TLS1.2, but
> that did not make the complaint go away, so is there anything else that
> uses TLS that we need to reconfigure to use only TLS1.2?
> Second, it appears that ssh-server on pfsense is version 6.6 and it would
> be good if we can upgrade that to 6.9 or better (well, if there is better -
> the scan only complains the version if earlier than 6.9)
> 
> If we can fix these two things, a little over half of the complaints from
> the scanner will be resolved.  I have spent a couple days using google,
> trying to resolve these, but to no avail (compounded by the fact the signal
> to noise ratio in my searches was abysmal).
> 
> Thanks
> 
> Ted
> 
> -- 
> R.E.(Ted) Byers, Ph.D.,Ed.D.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Adam Thompson]

I'm 95% sure the answer is "wait for the developers to fix those issues" 
and/or "become a developer and fix those issues" :-).


Configuration of lighttpd is controlled by the pfSense management 
framework, so once you discover the correct invocation, you could 
locally modify the PHP file that generates the configuration.


In theory, all you need to add to /var/etc/lighty-webConfigurator.conf 
would be


|ssl.cipher-list "DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA
EDH-RSA-DES-CBC3-SHA
AES256-SHA
AES128-SHA
DES-CBC3-SHA
DES-CBC3-MD5
RC4-SHA
RC4-MD5"|

but you need to find where in the PHP framework that file gets written.  
I can't find it in under 60 seconds, so you're on your own there.


As to updating sshd, that's replacing a core piece of the system. I'm 
not even going to speculate how or what the impact would be.


-Adam


On 07/24/2015 03:51 PM, Ted Byers wrote:

I have checked our installation of our website (a classic protected LAN
with a DMZ formed by two pfsense machines serving as our inner and outer
firewall, and one machine in the DMZ and the rest behind the inner
firewall) using a PCI scanner.

The PCI scan identified two vulnerabilities WRT our pfsense machines.

First, the scanner complains that TLS1 is supported and we need to restrict
it to TLS1.2.  We modified the configuration of lighttpd to use TLS1.2, but
that did not make the complaint go away, so is there anything else that
uses TLS that we need to reconfigure to use only TLS1.2?
Second, it appears that ssh-server on pfsense is version 6.6 and it would
be good if we can upgrade that to 6.9 or better (well, if there is better -
the scan only complains the version if earlier than 6.9)

If we can fix these two things, a little over half of the complaints from
the scanner will be resolved.  I have spent a couple days using google,
trying to resolve these, but to no avail (compounded by the fact the signal
to noise ratio in my searches was abysmal).

Thanks

Ted



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Steve Yates]

Ted Byers wrote on Fri, Jul 24 2015 at 3:51 pm:

> First, the scanner complains that TLS1 is supported and we need to restrict
> it to TLS1.2.

> Second, it appears that ssh-server on pfsense is version 6.6 

Is this an internal scan or external?  Hopefully those aren't exposed 
externally.  If internal, can access be limited to certain IPs?

This probably isn't the forum to discuss, but the TLS 1.0 one is a fun 
one...that will catch Remote Desktop Services, and Vista and below don't 
support TLS 1.1+ period, and Windows 7 with IE10 or earlier don't have TLS 1.1+ 
enabled by default.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Ted Byers]

We have version 2.2.2.

What is the easiest way to upgrade on eminor versiion?  On Ubuntu, I'd use
'apr-get update' and/or 'apt-get upgrade', or one of the variants thereof.
But, if I understand correctly, pfsense is built on freeBSD, about which I
know nothing.

Thanks

Ted

On Fri, Jul 24, 2015 at 5:13 PM, Ryan Coleman  wrote:

> First off you’d upgrade the installation of pfSense - what version do you
> have installed/running? The current version is 2.2.3.
>
>
> > On Jul 24, 2015, at 3:51 PM, Ted Byers  wrote:
> >
> > I have checked our installation of our website (a classic protected LAN
> > with a DMZ formed by two pfsense machines serving as our inner and outer
> > firewall, and one machine in the DMZ and the rest behind the inner
> > firewall) using a PCI scanner.
> >
> > The PCI scan identified two vulnerabilities WRT our pfsense machines.
> >
> > First, the scanner complains that TLS1 is supported and we need to
> restrict
> > it to TLS1.2.  We modified the configuration of lighttpd to use TLS1.2,
> but
> > that did not make the complaint go away, so is there anything else that
> > uses TLS that we need to reconfigure to use only TLS1.2?
> > Second, it appears that ssh-server on pfsense is version 6.6 and it would
> > be good if we can upgrade that to 6.9 or better (well, if there is
> better -
> > the scan only complains the version if earlier than 6.9)
> >
> > If we can fix these two things, a little over half of the complaints from
> > the scanner will be resolved.  I have spent a couple days using google,
> > trying to resolve these, but to no avail (compounded by the fact the
> signal
> > to noise ratio in my searches was abysmal).
> >
> > Thanks
> >
> > Ted
> >
> > --
> > R.E.(Ted) Byers, Ph.D.,Ed.D.
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold




-- 
R.E.(Ted) Byers, Ph.D.,Ed.D.
t...@merchantservicecorp.com
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Ted Byers]

Thanks for this.  I'd hoped it would be as simple as apt-get-update &&
apt-get upgrade && apt-get update openssh-server.  That is,whatever the
equivalent of apt-get is on a pfsense machine, I'd hoped it would be a
command invoked from ssh to ask the system to check for updates and apply
any found.

Thanks

Ted

On Fri, Jul 24, 2015 at 5:13 PM, Adam Thompson 
wrote:

> I'm 95% sure the answer is "wait for the developers to fix those issues"
> and/or "become a developer and fix those issues" :-).
>
> Configuration of lighttpd is controlled by the pfSense management
> framework, so once you discover the correct invocation, you could locally
> modify the PHP file that generates the configuration.
>
> In theory, all you need to add to /var/etc/lighty-webConfigurator.conf
> would be
>
> |ssl.cipher-list "DHE-RSA-AES256-SHA
> DHE-RSA-AES128-SHA
> EDH-RSA-DES-CBC3-SHA
> AES256-SHA
> AES128-SHA
> DES-CBC3-SHA
> DES-CBC3-MD5
> RC4-SHA
> RC4-MD5"|
>
> but you need to find where in the PHP framework that file gets written.  I
> can't find it in under 60 seconds, so you're on your own there.
>
> As to updating sshd, that's replacing a core piece of the system. I'm not
> even going to speculate how or what the impact would be.
>
> -Adam
>
>
> On 07/24/2015 03:51 PM, Ted Byers wrote:
>
>> I have checked our installation of our website (a classic protected LAN
>> with a DMZ formed by two pfsense machines serving as our inner and outer
>> firewall, and one machine in the DMZ and the rest behind the inner
>> firewall) using a PCI scanner.
>>
>> The PCI scan identified two vulnerabilities WRT our pfsense machines.
>>
>> First, the scanner complains that TLS1 is supported and we need to
>> restrict
>> it to TLS1.2.  We modified the configuration of lighttpd to use TLS1.2,
>> but
>> that did not make the complaint go away, so is there anything else that
>> uses TLS that we need to reconfigure to use only TLS1.2?
>> Second, it appears that ssh-server on pfsense is version 6.6 and it would
>> be good if we can upgrade that to 6.9 or better (well, if there is better
>> -
>> the scan only complains the version if earlier than 6.9)
>>
>> If we can fix these two things, a little over half of the complaints from
>> the scanner will be resolved.  I have spent a couple days using google,
>> trying to resolve these, but to no avail (compounded by the fact the
>> signal
>> to noise ratio in my searches was abysmal).
>>
>> Thanks
>>
>> Ted
>>
>>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
R.E.(Ted) Byers, Ph.D.,Ed.D.
t...@merchantservicecorp.com
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[David Burgess]

On Fri, Jul 24, 2015 at 4:14 PM, Ted Byers  wrote:
> Thanks for this.  I'd hoped it would be as simple as apt-get-update &&
> apt-get upgrade && apt-get update openssh-server.  That is,whatever the
> equivalent of apt-get is on a pfsense machine, I'd hoped it would be a
> command invoked from ssh to ask the system to check for updates and apply
> any found.


PFSense is more like a firmware than an OS. While the possibility of
updating, replacing, or adding components does exist, it is generally
discouraged for the typical user. Log into the web UI and navigate to
System: Firmware: Auto Update and run your upgrade from there.

db
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Ted Byers]

This is an external scan.  We forward ports such as 443 and 22 to specific
Ubuntu machines.  But both sshd and apache have been configured to accept
only TLS1.2

Port 443 must be open to support the web server in our DMZ, and we need ssh
to connect to each machine for administration purposes.  (if there is a
better way, I do not know what it is or how to do it --I am a programmer
tasked with setting this up, so network and system administration is new to
me - I am out of my area of expertise here).

Thanks

Ted


On Fri, Jul 24, 2015 at 5:25 PM, Steve Yates  wrote:

> Ted Byers wrote on Fri, Jul 24 2015 at 3:51 pm:
>
> > First, the scanner complains that TLS1 is supported and we need to
> restrict
> > it to TLS1.2.
>
> > Second, it appears that ssh-server on pfsense is version 6.6
>
> Is this an internal scan or external?  Hopefully those aren't
> exposed externally.  If internal, can access be limited to certain IPs?
>
> This probably isn't the forum to discuss, but the TLS 1.0 one is a
> fun one...that will catch Remote Desktop Services, and Vista and below
> don't support TLS 1.1+ period, and Windows 7 with IE10 or earlier don't
> have TLS 1.1+ enabled by default.
>
> --
>
> Steve Yates
> ITS, Inc.
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
R.E.(Ted) Byers, Ph.D.,Ed.D.
t...@merchantservicecorp.com
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Ted Byers]

Thanks.  I will do this this evening.

Thanks

ted

On Fri, Jul 24, 2015 at 6:18 PM, David Burgess  wrote:

> On Fri, Jul 24, 2015 at 4:14 PM, Ted Byers  wrote:
> > Thanks for this.  I'd hoped it would be as simple as apt-get-update &&
> > apt-get upgrade && apt-get update openssh-server.  That is,whatever the
> > equivalent of apt-get is on a pfsense machine, I'd hoped it would be a
> > command invoked from ssh to ask the system to check for updates and apply
> > any found.
>
>
> PFSense is more like a firmware than an OS. While the possibility of
> updating, replacing, or adding components does exist, it is generally
> discouraged for the typical user. Log into the web UI and navigate to
> System: Firmware: Auto Update and run your upgrade from there.
>
> db
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
R.E.(Ted) Byers, Ph.D.,Ed.D.
t...@merchantservicecorp.com
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Yehuda Katz]

If you are forwarding the ports to other machines, it is those machines
which need and update, not pfSense.
This is the test: get out your ssh client of choice and connect to the port
from outside. If you get something that is not pfSense, then upgrading ssh
on your firewall isn't going to help.

- Y

Sent from a gizmo with a very small keyboard and hyperactive autocorrect.
On Jul 24, 2015 6:20 PM, "Ted Byers"  wrote:

> This is an external scan.  We forward ports such as 443 and 22 to specific
> Ubuntu machines.  But both sshd and apache have been configured to accept
> only TLS1.2
>
> Port 443 must be open to support the web server in our DMZ, and we need ssh
> to connect to each machine for administration purposes.  (if there is a
> better way, I do not know what it is or how to do it --I am a programmer
> tasked with setting this up, so network and system administration is new to
> me - I am out of my area of expertise here).
>
> Thanks
>
> Ted
>
>
> On Fri, Jul 24, 2015 at 5:25 PM, Steve Yates  wrote:
>
> > Ted Byers wrote on Fri, Jul 24 2015 at 3:51 pm:
> >
> > > First, the scanner complains that TLS1 is supported and we need to
> > restrict
> > > it to TLS1.2.
> >
> > > Second, it appears that ssh-server on pfsense is version 6.6
> >
> > Is this an internal scan or external?  Hopefully those aren't
> > exposed externally.  If internal, can access be limited to certain IPs?
> >
> > This probably isn't the forum to discuss, but the TLS 1.0 one is
> a
> > fun one...that will catch Remote Desktop Services, and Vista and below
> > don't support TLS 1.1+ period, and Windows 7 with IE10 or earlier don't
> > have TLS 1.1+ enabled by default.
> >
> > --
> >
> > Steve Yates
> > ITS, Inc.
> >
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
>
>
>
> --
> R.E.(Ted) Byers, Ph.D.,Ed.D.
> t...@merchantservicecorp.com
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Chris Buechler]

On Fri, Jul 24, 2015 at 3:51 PM, Ted Byers  wrote:
> I have checked our installation of our website (a classic protected LAN
> with a DMZ formed by two pfsense machines serving as our inner and outer
> firewall, and one machine in the DMZ and the rest behind the inner
> firewall) using a PCI scanner.
>
> The PCI scan identified two vulnerabilities WRT our pfsense machines.
>
> First, the scanner complains that TLS1 is supported and we need to restrict
> it to TLS1.2.  We modified the configuration of lighttpd to use TLS1.2, but
> that did not make the complaint go away, so is there anything else that
> uses TLS that we need to reconfigure to use only TLS1.2?

That's one where maybe you can disregard compatibility concerns and
only allow TLS 1.2. We're a bit more conservative for compatibility
reasons where there isn't a significant security risk (though TLSv1
probably will get disabled in 2.3-REL). Update the code in
/etc/inc/system.inc to generate the lighttpd config as you desire (and
captiveportal.inc if you're using CP).

> Second, it appears that ssh-server on pfsense is version 6.6 and it would
> be good if we can upgrade that to 6.9 or better (well, if there is better -
> the scan only complains the version if earlier than 6.9)
>

In that case your scanner is stupid, and "you can't fix stupid"
applies. We use the SSH version used in the base FreeBSD version,
which is 6.6 for 10.1. That's perfectly fine. You can't reasonably
upgrade it, and there is no point at all in trying.

Re: upgrading, which you should do as there are legit security reasons
your scanner is blind to (though best to wait a few hours and you can
go to 2.2.4), details here:
https://doc.pfsense.org/index.php/Upgrade_Guide
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Chris Buechler]

On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers  wrote:
> This is an external scan.  We forward ports such as 443 and 22 to specific
> Ubuntu machines.  But both sshd and apache have been configured to accept
> only TLS1.2
>

In the case of forwarded ports it's the Ubuntu machines that are
triggering it. That has nothing to do with the firewall.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Ted Byers]

On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler  wrote:

> On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers  wrote:
> > This is an external scan.  We forward ports such as 443 and 22 to
> specific
> > Ubuntu machines.  But both sshd and apache have been configured to accept
> > only TLS1.2
> >
>
> In the case of forwarded ports it's the Ubuntu machines that are
> triggering it. That has nothing to do with the firewall.


In that case, then, the scan is wrong as all our Ubuntu machines are
configured to use only TLS1.2

Thanks.

Ted
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Ryan Coleman]

> On Jul 24, 2015, at 7:18 PM, Ted Byers  wrote:
> 
> On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler  wrote:
> 
>> On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers  wrote:
>>> This is an external scan.  We forward ports such as 443 and 22 to
>> specific
>>> Ubuntu machines.  But both sshd and apache have been configured to accept
>>> only TLS1.2
>>> 
>> 
>> In the case of forwarded ports it's the Ubuntu machines that are
>> triggering it. That has nothing to do with the firewall.
> 
> 
> In that case, then, the scan is wrong as all our Ubuntu machines are
> configured to use only TLS1.2
> 


I am curious as to what tool you were using.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Chris Buechler]

On Fri, Jul 24, 2015 at 8:11 PM, Ryan Coleman  wrote:
>
>> On Jul 24, 2015, at 7:18 PM, Ted Byers  wrote:
>>
>> On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler  wrote:
>>
>>> On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers  wrote:
 This is an external scan.  We forward ports such as 443 and 22 to
>>> specific
 Ubuntu machines.  But both sshd and apache have been configured to accept
 only TLS1.2

>>>
>>> In the case of forwarded ports it's the Ubuntu machines that are
>>> triggering it. That has nothing to do with the firewall.
>>
>>
>> In that case, then, the scan is wrong as all our Ubuntu machines are
>> configured to use only TLS1.2
>>
>
> I am curious as to what tool you were using.
>

Ditto.

One easy way to check for publicly-reachable things is ssllabs.com.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Chris L]

> On Jul 24, 2015, at 5:18 PM, Ted Byers  wrote:
> 
> On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler  wrote:
> 
>> On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers  wrote:
>>> This is an external scan.  We forward ports such as 443 and 22 to
>> specific
>>> Ubuntu machines.  But both sshd and apache have been configured to accept
>>> only TLS1.2
>>> 
>> 
>> In the case of forwarded ports it's the Ubuntu machines that are
>> triggering it. That has nothing to do with the firewall.
> 
> 
> In that case, then, the scan is wrong as all our Ubuntu machines are
> configured to use only TLS1.2

Or you think they are and they’re really not.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Ryan Coleman]

> On Jul 25, 2015, at 2:02 AM, Chris Buechler  wrote:
> 
> On Fri, Jul 24, 2015 at 8:11 PM, Ryan Coleman  wrote:
>> 
>>> On Jul 24, 2015, at 7:18 PM, Ted Byers  wrote:
>>> 
>>> On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler  wrote:
>>> 
 On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers  wrote:
> This is an external scan.  We forward ports such as 443 and 22 to
 specific
> Ubuntu machines.  But both sshd and apache have been configured to accept
> only TLS1.2
> 
 
 In the case of forwarded ports it's the Ubuntu machines that are
 triggering it. That has nothing to do with the firewall.
>>> 
>>> 
>>> In that case, then, the scan is wrong as all our Ubuntu machines are
>>> configured to use only TLS1.2
>>> 
>> 
>> I am curious as to what tool you were using.
>> 
> 
> Ditto.
> 
> One easy way to check for publicly-reachable things is ssllabs.com.

I have an issue with Qualy’s: They ding my certification because I have 
domain.com  on it and not www.domain.com 
 (multi-site cert).

That’s not a reason to lower a score on security.

—
Ryan

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Vick Khera]

On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman 
wrote:

> I have an issue with Qualy’s: They ding my certification because I have
> domain.com
>
> 
> > on it and not www.domain.com
>
> 
> > (multi-site cert).
>
> That’s not a reason to lower a score on security.
>

The only way I can make sense of your sentence is that they are dinging you
for having a certificate that does not match the name of the site you are
visiting because one has "www." and the other does not. That seems to be
reasonable for them to ding you.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Moshe Katz]

On Tue, Jul 28, 2015 at 3:44 PM, Vick Khera  wrote:

> On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman 
> wrote:
>
> > I have an issue with Qualy’s: They ding my certification because I have
> > domain.com
> >
> >  >
> > > on it and not www.domain.com
> >
> >  >
> > > (multi-site cert).
> >
> > That’s not a reason to lower a score on security.
> >
>
> The only way I can make sense of your sentence is that they are dinging you
> for having a certificate that does not match the name of the site you are
> visiting because one has "www." and the other does not. That seems to be
> reasonable for them to ding you.
>
>
Vick,

Qualys *does* take off points if you have a certificate for your "bare"
domain name without it having "www" as an alternate name.  For example, a
certificate for 'example.com' that doesn't work for 'www.example.com' is
penalized, even if it is really only used for 'example.com'.

I believe that the reason they do this is because they assume that people
always have their sites set up so that www redirects to bare, bare
redirects to www, or both bare and www show the same content.  While this
may not always be true, it is an assumption that Qualys and many other
people make, so it is included in the grade.

Moshe

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Ryan Coleman]

> On Jul 28, 2015, at 2:50 PM, Moshe Katz  wrote:
> 
> On Tue, Jul 28, 2015 at 3:44 PM, Vick Khera  > wrote:
> 
>> On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman 
>> wrote:
>> 
>>> I have an issue with Qualy’s: They ding my certification because I have
>>> domain.com
>>> 
>>> >> 
 on it and not www.domain.com
>>> 
>>> >> 
 (multi-site cert).
>>> 
>>> That’s not a reason to lower a score on security.
>>> 
>> 
>> The only way I can make sense of your sentence is that they are dinging you
>> for having a certificate that does not match the name of the site you are
>> visiting because one has "www." and the other does not. That seems to be
>> reasonable for them to ding you.
>> 
>> 
> Vick,
> 
> Qualys *does* take off points if you have a certificate for your "bare"
> domain name without it having "www" as an alternate name.  For example, a
> certificate for 'example.com ' that doesn't work for 
> 'www.example.com ' is
> penalized, even if it is really only used for 'example.com 
> '.
> 
> I believe that the reason they do this is because they assume that people
> always have their sites set up so that www redirects to bare, bare
> redirects to www, or both bare and www show the same content.  While this
> may not always be true, it is an assumption that Qualys and many other
> people make, so it is included in the grade.

Sure but if you try to load www.domain.com  it sends 
you to the clean domain immediately. I am not testing www.domain.com 
 - I am testing domain.com  and 
there’s no evidence they’re trying to load www.domain.com 
, only reading the certificate and seeing it doesn’t 
cover it.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Moshe Katz]

On Tue, Jul 28, 2015 at 3:54 PM, Ryan Coleman  wrote:

>
> > On Jul 28, 2015, at 2:50 PM, Moshe Katz  wrote:
> >
> > On Tue, Jul 28, 2015 at 3:44 PM, Vick Khera  vi...@khera.org>> wrote:
> >
> >> On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman 
> >> wrote:
> >>
> >>> I have an issue with Qualy’s: They ding my certification because I have
> >>> domain.com
> >>>
> >>>  >>>
>  on it and not www.domain.com
> >>>
> >>>  >>>
>  (multi-site cert).
> >>>
> >>> That’s not a reason to lower a score on security.
> >>>
> >>
> >> The only way I can make sense of your sentence is that they are dinging
> you
> >> for having a certificate that does not match the name of the site you
> are
> >> visiting because one has "www." and the other does not. That seems to be
> >> reasonable for them to ding you.
> >>
> >>
> > Vick,
> >
> > Qualys *does* take off points if you have a certificate for your "bare"
> > domain name without it having "www" as an alternate name.  For example, a
> > certificate for 'example.com ' that doesn't work
> for 'www.example.com ' is
> > penalized, even if it is really only used for 'example.com <
> http://example.com/>'.
> >
> > I believe that the reason they do this is because they assume that people
> > always have their sites set up so that www redirects to bare, bare
> > redirects to www, or both bare and www show the same content.  While this
> > may not always be true, it is an assumption that Qualys and many other
> > people make, so it is included in the grade.
>
> Sure but if you try to load www.domain.com  it
> sends you to the clean domain immediately. I am not testing www.domain.com
>  - I am testing domain.com 
> and there’s no evidence they’re trying to load www.domain.com <
> http://www.domain.com/>, only reading the certificate and seeing it
> doesn’t cover it.
>


Ryan,

That is *exactly* what I said.  They *don't* check whether you are
redirecting, and they *don't* try to load the www version. They naively
assume that the same certificate *must* cover both of those names because
they assume you are redirecting one to the other.

There is one reason that it matters, even in your case.  Take the following
four URLs:

   - http://domain.com/=> redirects to SECURE on SAME DOMAIN
   - http://www.domain.com/   => redirects to SECURE on BARE DOMAIN
   - https://domain.com/ => the actual site
   - https://www.domain.com/  => SHOULD redirect to SECURE on BARE DOMAIN

You have handled the first three of them - but not the fourth one.  Instead
of getting a redirect, you will get a certificate error.

I don't know how you have configured your server - you may not even be
listening for secure connections on the WWW subdomain.  However, Qualys
assumes that you are redirecting in that fourth case *and that you are
using the same certificate to do it*, so they are testing for whether your
certificate covers for it.

Again,  I agree with you that this shouldn't affect your score.  I am
simply explaining why they do it.

Moshe


--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Vick Khera]

On Tue, Jul 28, 2015 at 4:12 PM, Moshe Katz  wrote:

> Again,  I agree with you that this shouldn't affect your score.  I am
> simply explaining why they do it.
>

based on this explanation, i agree. there's no reason for them to demand
your certificate also signs any other domain name as long as it signs the
one to which they are connecting and testing.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Claudio Thomas]

 
On 29.07.2015 18:02, Vick Khera wrote:
> On Tue, Jul 28, 2015 at 4:12 PM, Moshe Katz  wrote:
>
>> Again,  I agree with you that this shouldn't affect your score.  I am
>> simply explaining why they do it.
> based on this explanation, i agree. there's no reason for them to demand
> your certificate also signs any other domain name as long as it signs the
> one to which they are connecting and testing.
Hi, the reason why it affects your score is simple:
1. client makes a request to https://www.example.net
=>if it does not redirect to https://example.net the checks stops here.
All ist OK
=>if your server responds with a redirect to https://example.net, it
does it with an untrusted certificate. Untrusted, because the server
certificate is not certificated to be used from www.example.net.

So you have 3 options:
1. disable redirection of https://www to https://bare (probably not what
you wish)
2. give your https://www server a valid certificate, so that the
redirect is trust-worthy (as done by https://www.web.de, that points to
https://web.de)
3. if it is the same server, but only a separed config, you probably
should get a certificate with CN:www.example.net and ALT-Names: DNS:
www.example.net and DNS: example.net (example: https://xmodus-systems.de
redirects to https://www.xmodus-systems.de, the cert is valid for both)

Again: the connection to the https://www.example.net is technical not ok
for shure. But this you probably already know.
Now "why does qualys check also the www.?": Qualys check this option for
bare domains, because many users worlwide use to prefix www. on every
domain without thinking about (bad habit). If the www. domain does not
belong to you it is a potential risk that your customers think they are
accessing your site but in real it is a possible "man-in-the-midle" side.
=> Security is not only a technical issue, but must also take account of
human bad habits.

Best regards,
Claudio

-- 
Working on OpenWrt CC for Xmodus GSM Router XM1710E




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold