date:20150819

Re: [pfSense] WHY: SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

2015-08-19 Thread Rainer Duffner

> 
> On investigation, we found the certificate is not the problem as our
> certificate is already 2048 bit.
> 
> What else might this be?
> 
> Thanks



https://weakdh.org 

Out of interest, I looked into this.
I haven’t exposed my web-interface, so I can’t check with ssllabs checker.

Above site recommends:
ssl.dh-file=

and the path to the strong dh-group created by

openssl dhparam -out dhparams.pem 2048


However, this is not included in my configuration:

ssl.engine = "enable"
ssl.pemfile = "/var/etc/cert.pem"
ssl.engine = "enable"
ssl.pemfile = "/var/etc/cert.pem"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = 
"AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS“


Maybe pfSense is smart enough to figure out that maybe my aging ALIX board is 
just too slow for this?

[2.2.4-RELEASE][r...@pfsense.example.org ]/tmp: 
time openssl dhparam -out dhparams.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..+..+..++..+..+..++.+.+..+...+.+...+++*++*
unable to write 'random state'
844.901u 0.105s 15:05.79 93.2%  613+197k 0+2io 13pf+0w



I also can’t find any security-advisory on this.




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] WHY: SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

2015-08-19 Thread Ted Byers

Hi Jon,

On Wed, Aug 19, 2015 at 4:38 AM, Jon Gerdes  wrote:
> On Tue, 2015-08-18 at 23:04 -0400, Ted Byers wrote:
>> On our latest penetration test, our pfsense machines were flagged as having
>> a SSL/TLS Diffie-Hellman Modulus <= 1024 Bits, allegedly making it
>> vulnerable to Logjam.  This is for the web server on the pfsense machine,
>> used to administer it.
>>
>> I do not, at present, care about the wherefore and why.
>>
>> All I want to know is where and how the size of the Diffie-Hellman modulus
>> is configured, and what do I change in order to have that set to,say, 2048
>> bits.
>>
>> Thanks
>>
>> Ted
>>
>
> Which version of pfSense?
>
> You can import your own certificate signed externally with whatever
> parameters you like and I notice that if I try and generate a new one in
> certificate manager (on 2.2.4), it defaults to a key length of 2048 bits
> and SHA256.
>

On investigation, we found the certificate is not the problem as our
certificate is already 2048 bit.

What else might this be?

Thanks

Ted
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] bacula downgrade on pfsense 2.2.2

2015-08-19 Thread J. Echter




Am 12.08.2015 um 18:48 schrieb Justin Edmands:

I have upgraded my pfsense firewalls to 2.2.2. Bacula-fd needs to be 5.2
and below. I only see bacula 7 in the package manager. Any way to fix this?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Hi,

upgrade the director, you will be fine using old 5.x fd's with 7.x director.

Greets

Juergen
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] WHY: SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

2015-08-19 Thread Ted Byers

On Wed, Aug 19, 2015 at 4:38 AM, Jon Gerdes  wrote:
>
Thanks Jon

> On Tue, 2015-08-18 at 23:04 -0400, Ted Byers wrote:
> > On our latest penetration test, our pfsense machines were flagged as having
> > a SSL/TLS Diffie-Hellman Modulus <= 1024 Bits, allegedly making it
> > vulnerable to Logjam.  This is for the web server on the pfsense machine,
> > used to administer it.
> >
> > I do not, at present, care about the wherefore and why.
> >
> > All I want to know is where and how the size of the Diffie-Hellman modulus
> > is configured, and what do I change in order to have that set to,say, 2048
> > bits.
> >
> > Thanks
> >
> > Ted
> >
>
> Which version of pfSense?
>
The latest: 2.2.4

> You can import your own certificate signed externally with whatever
> parameters you like and I notice that if I try and generate a new one in
> certificate manager (on 2.2.4), it defaults to a key length of 2048 bits
> and SHA256.
>
Ok, thanks.  I didn't realize this would come from our certificate.
I'll give that a try.

> Finally, although it is good practice to scan your gear I trust you
> usually have a firewall rule that prohibits access to the web
> configurator console except from a few sources.  Also the port you
> should have shuffled off to a non default.
>
Well, the port is shuffled off to something higher than 5.

I'd have preferred to have set this port to accept connections only
from my IP and that of my colleague, but while I have a fixed IP
address, he does not.

> Cheers
> Jon
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

Thanks again

Ted

-- 
R.E.(Ted) Byers, Ph.D.,Ed.D.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Block Torrentz

2015-08-19 Thread Paul Mather

On Aug 19, 2015, at 1:32 AM, A Mohan Rao  wrote:
> 
> sorry not clear your point...!

I believe the point is that focusing on blocking port ranges like 6881-6889 is 
horribly outdated with modern BitTorrent clients. :-)

Many BitTorrent clients will choose a random port on startup and then use 
NAT-PMP or uPnP to open it at the firewall to ensure the client is reachable.  
It's also common for BitTorrent clients to use various methods to discover 
clients (PEX, DHT, local peer discovery), and also to encrypt traffic between 
those clients.  Increasingly, people are also using VPN providers to connect to 
BitTorrent trackers or otherwise connect to swarms.

Cheers,

Paul.

> 
> On Wed, Aug 19, 2015 at 1:21 AM, Espen Johansen  wrote:
> 
>> Focus on layer 7. Most torrent clients use dynamic ports. And disable upnp
>> as that will defeat the ports blocking as well.
>> 
>> -lsf
>> 
>> tir. 18. aug. 2015, 21.21 skrev A Mohan Rao :
>> 
>>> Hello pfSense experts,
>>> 
>>> I find out torrents ports like 6881-6889 etc.
>>> And create firewall block rule source lan network then destination any
>> with
>>> torrents ports but still users can download torrents data.
>>> Also i created in traffic shaper layer 7 BitTorrent still not reached any
>>> positive result.
>>> Pls guide Where i m wrong or my rules not work...
>>> 
>>> Thanks in advance.
>>> 
>>> Mohan Rao
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] WHY: SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

2015-08-19 Thread Jon Gerdes

On Tue, 2015-08-18 at 23:04 -0400, Ted Byers wrote:
> On our latest penetration test, our pfsense machines were flagged as having
> a SSL/TLS Diffie-Hellman Modulus <= 1024 Bits, allegedly making it
> vulnerable to Logjam.  This is for the web server on the pfsense machine,
> used to administer it.
> 
> I do not, at present, care about the wherefore and why.
> 
> All I want to know is where and how the size of the Diffie-Hellman modulus
> is configured, and what do I change in order to have that set to,say, 2048
> bits.
> 
> Thanks
> 
> Ted
> 

Which version of pfSense?

You can import your own certificate signed externally with whatever
parameters you like and I notice that if I try and generate a new one in
certificate manager (on 2.2.4), it defaults to a key length of 2048 bits
and SHA256.

Finally, although it is good practice to scan your gear I trust you
usually have a firewall rule that prohibits access to the web
configurator console except from a few sources.  Also the port you
should have shuffled off to a non default.

Cheers
Jon
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] WHY: SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

Re: [pfSense] WHY: SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

Re: [pfSense] bacula downgrade on pfsense 2.2.2

Re: [pfSense] WHY: SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

Re: [pfSense] Block Torrentz

Re: [pfSense] WHY: SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

6 matches

Site Navigation

Mail list logo

Footer information