vsftpd and PCI compliance
 

Hi,

I'm failing my PCI scan (from securitymetrics) because of vsftpd.
I have it configured to allow only ssl authentication and data:

ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
force_anon_data_ssl=YES
force_anon_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_ciphers=HIGH

Security metrics says:
SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection Synoposis: The remote service allows insecure renegotiation of TLS / SSL connections.

Any ideas?

Thanks!

What's the version and release date of your Vsftpd and OpenSSL?
Does the changelog for OpenSSL mention fixing CVE-2009-3555?

Thanks!
I recompiled ssl and vsftpd and I passed one of the tests.

Now I'm getting this one:
SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability Synoposis: It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services. Impact: A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

Can I use TLS 1.1 or TLS 1.2 with vsftpd?
How do I tell vsftpd to use a NON-CBC mode cipher?

Thanks for your help!

See the man page ssl_.* options.


See the man page: "ssl_ciphers".