On Wed, Aug 19, 2015 at 4:38 AM, Jon Gerdes <[email protected]> wrote: > Thanks Jon
> On Tue, 2015-08-18 at 23:04 -0400, Ted Byers wrote: > > On our latest penetration test, our pfsense machines were flagged as having > > a SSL/TLS Diffie-Hellman Modulus <= 1024 Bits, allegedly making it > > vulnerable to Logjam. This is for the web server on the pfsense machine, > > used to administer it. > > > > I do not, at present, care about the wherefore and why. > > > > All I want to know is where and how the size of the Diffie-Hellman modulus > > is configured, and what do I change in order to have that set to,say, 2048 > > bits. > > > > Thanks > > > > Ted > > > > Which version of pfSense? > The latest: 2.2.4 > You can import your own certificate signed externally with whatever > parameters you like and I notice that if I try and generate a new one in > certificate manager (on 2.2.4), it defaults to a key length of 2048 bits > and SHA256. > Ok, thanks. I didn't realize this would come from our certificate. I'll give that a try. > Finally, although it is good practice to scan your gear I trust you > usually have a firewall rule that prohibits access to the web > configurator console except from a few sources. Also the port you > should have shuffled off to a non default. > Well, the port is shuffled off to something higher than 50000. I'd have preferred to have set this port to accept connections only from my IP and that of my colleague, but while I have a fixed IP address, he does not. > Cheers > Jon > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold Thanks again Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
