LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   vsftpd and PCI compliance (http://www.linuxquestions.org/questions/linux-networking-3/vsftpd-and-pci-compliance-4175428336/)

saraza 09-21-2012 02:30 AM

vsftpd and PCI compliance
 
Hi,

I'm failing my PCI scan (from securitymetrics) because of vsftpd.
I have it configured to allow only ssl authentication and data:

ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
force_anon_data_ssl=YES
force_anon_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_ciphers=HIGH

Security metrics says:
SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection Synoposis: The remote service allows insecure renegotiation of TLS / SSL connections.

Any ideas?

Thanks!

unSpawn 09-21-2012 07:33 AM

What's the version and release date of your Vsftpd and OpenSSL?
Does the changelog for OpenSSL mention fixing CVE-2009-3555?

saraza 09-22-2012 12:16 PM

Quote:

Originally Posted by unSpawn (Post 4785768)
What's the version and release date of your Vsftpd and OpenSSL?
Does the changelog for OpenSSL mention fixing CVE-2009-3555?


Thanks!
I recompiled ssl and vsftpd and I passed one of the tests.

Now I'm getting this one:
SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability Synoposis: It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services. Impact: A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

Can I use TLS 1.1 or TLS 1.2 with vsftpd?
How do I tell vsftpd to use a NON-CBC mode cipher?

Thanks for your help!

unSpawn 09-22-2012 01:39 PM

Quote:

Originally Posted by saraza (Post 4786649)
Can I use TLS 1.1 or TLS 1.2 with vsftpd?

See the man page ssl_.* options.


Quote:

Originally Posted by saraza (Post 4786649)
How do I tell vsftpd to use a NON-CBC mode cipher?

See the man page: "ssl_ciphers".


All times are GMT -5. The time now is 03:19 AM.