Thanks for this. I'd hoped it would be as simple as apt-get-update && apt-get upgrade && apt-get update openssh-server. That is,whatever the equivalent of apt-get is on a pfsense machine, I'd hoped it would be a command invoked from ssh to ask the system to check for updates and apply any found.
Thanks Ted On Fri, Jul 24, 2015 at 5:13 PM, Adam Thompson <[email protected]> wrote: > I'm 95% sure the answer is "wait for the developers to fix those issues" > and/or "become a developer and fix those issues" :-). > > Configuration of lighttpd is controlled by the pfSense management > framework, so once you discover the correct invocation, you could locally > modify the PHP file that generates the configuration. > > In theory, all you need to add to /var/etc/lighty-webConfigurator.conf > would be > > |ssl.cipher-list "DHE-RSA-AES256-SHA > DHE-RSA-AES128-SHA > EDH-RSA-DES-CBC3-SHA > AES256-SHA > AES128-SHA > DES-CBC3-SHA > DES-CBC3-MD5 > RC4-SHA > RC4-MD5"| > > but you need to find where in the PHP framework that file gets written. I > can't find it in under 60 seconds, so you're on your own there. > > As to updating sshd, that's replacing a core piece of the system. I'm not > even going to speculate how or what the impact would be. > > -Adam > > > On 07/24/2015 03:51 PM, Ted Byers wrote: > >> I have checked our installation of our website (a classic protected LAN >> with a DMZ formed by two pfsense machines serving as our inner and outer >> firewall, and one machine in the DMZ and the rest behind the inner >> firewall) using a PCI scanner. >> >> The PCI scan identified two vulnerabilities WRT our pfsense machines. >> >> First, the scanner complains that TLS1 is supported and we need to >> restrict >> it to TLS1.2. We modified the configuration of lighttpd to use TLS1.2, >> but >> that did not make the complaint go away, so is there anything else that >> uses TLS that we need to reconfigure to use only TLS1.2? >> Second, it appears that ssh-server on pfsense is version 6.6 and it would >> be good if we can upgrade that to 6.9 or better (well, if there is better >> - >> the scan only complains the version if earlier than 6.9) >> >> If we can fix these two things, a little over half of the complaints from >> the scanner will be resolved. I have spent a couple days using google, >> trying to resolve these, but to no avail (compounded by the fact the >> signal >> to noise ratio in my searches was abysmal). >> >> Thanks >> >> Ted >> >> > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > -- R.E.(Ted) Byers, Ph.D.,Ed.D. [email protected] _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
