vsftpd and PCI compliance
I'm failing my PCI scan (from securitymetrics) because of vsftpd.
I have it configured to allow only ssl authentication and data:
Security metrics says:
SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection Synoposis: The remote service allows insecure renegotiation of TLS / SSL connections.
What's the version and release date of your Vsftpd and OpenSSL?
Does the changelog for OpenSSL mention fixing CVE-2009-3555?
I recompiled ssl and vsftpd and I passed one of the tests.
Now I'm getting this one:
SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability Synoposis: It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services. Impact: A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.
Can I use TLS 1.1 or TLS 1.2 with vsftpd?
How do I tell vsftpd to use a NON-CBC mode cipher?
Thanks for your help!
|All times are GMT -5. The time now is 11:08 PM.|