vsftpd and PCI compliance
Hi,
I'm failing my PCI scan (from securitymetrics) because of vsftpd. I have it configured to allow only ssl authentication and data: ssl_enable=YES force_local_data_ssl=YES force_local_logins_ssl=YES force_anon_data_ssl=YES force_anon_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO ssl_ciphers=HIGH Security metrics says: SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection Synoposis: The remote service allows insecure renegotiation of TLS / SSL connections. Any ideas? Thanks! |
What's the version and release date of your Vsftpd and OpenSSL?
Does the changelog for OpenSSL mention fixing CVE-2009-3555? |
Quote:
Thanks! I recompiled ssl and vsftpd and I passed one of the tests. Now I'm getting this one: SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability Synoposis: It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services. Impact: A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. Can I use TLS 1.1 or TLS 1.2 with vsftpd? How do I tell vsftpd to use a NON-CBC mode cipher? Thanks for your help! |
Quote:
Quote:
|
All times are GMT -5. The time now is 05:17 AM. |