On Fri, Jul 24, 2015 at 3:51 PM, Ted Byers <r.ted.by...@gmail.com> wrote: > I have checked our installation of our website (a classic protected LAN > with a DMZ formed by two pfsense machines serving as our inner and outer > firewall, and one machine in the DMZ and the rest behind the inner > firewall) using a PCI scanner. > > The PCI scan identified two vulnerabilities WRT our pfsense machines. > > First, the scanner complains that TLS1 is supported and we need to restrict > it to TLS1.2. We modified the configuration of lighttpd to use TLS1.2, but > that did not make the complaint go away, so is there anything else that > uses TLS that we need to reconfigure to use only TLS1.2?
That's one where maybe you can disregard compatibility concerns and only allow TLS 1.2. We're a bit more conservative for compatibility reasons where there isn't a significant security risk (though TLSv1 probably will get disabled in 2.3-REL). Update the code in /etc/inc/system.inc to generate the lighttpd config as you desire (and captiveportal.inc if you're using CP). > Second, it appears that ssh-server on pfsense is version 6.6 and it would > be good if we can upgrade that to 6.9 or better (well, if there is better - > the scan only complains the version if earlier than 6.9) > In that case your scanner is stupid, and "you can't fix stupid" applies. We use the SSH version used in the base FreeBSD version, which is 6.6 for 10.1. That's perfectly fine. You can't reasonably upgrade it, and there is no point at all in trying. Re: upgrading, which you should do as there are legit security reasons your scanner is blind to (though best to wait a few hours and you can go to 2.2.4), details here: https://doc.pfsense.org/index.php/Upgrade_Guide _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
