LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 09-21-2012, 02:30 AM   #1
saraza
LQ Newbie
 
Registered: Sep 2011
Posts: 5

Rep: Reputation: Disabled
vsftpd and PCI compliance


Hi,

I'm failing my PCI scan (from securitymetrics) because of vsftpd.
I have it configured to allow only ssl authentication and data:

ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
force_anon_data_ssl=YES
force_anon_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_ciphers=HIGH

Security metrics says:
SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection Synoposis: The remote service allows insecure renegotiation of TLS / SSL connections.

Any ideas?

Thanks!
 
Old 09-21-2012, 07:33 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,014
Blog Entries: 54

Rep: Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763
What's the version and release date of your Vsftpd and OpenSSL?
Does the changelog for OpenSSL mention fixing CVE-2009-3555?
 
1 members found this post helpful.
Old 09-22-2012, 12:16 PM   #3
saraza
LQ Newbie
 
Registered: Sep 2011
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
What's the version and release date of your Vsftpd and OpenSSL?
Does the changelog for OpenSSL mention fixing CVE-2009-3555?

Thanks!
I recompiled ssl and vsftpd and I passed one of the tests.

Now I'm getting this one:
SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability Synoposis: It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services. Impact: A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

Can I use TLS 1.1 or TLS 1.2 with vsftpd?
How do I tell vsftpd to use a NON-CBC mode cipher?

Thanks for your help!
 
Old 09-22-2012, 01:39 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,014
Blog Entries: 54

Rep: Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763
Quote:
Originally Posted by saraza View Post
Can I use TLS 1.1 or TLS 1.2 with vsftpd?
See the man page ssl_.* options.


Quote:
Originally Posted by saraza View Post
How do I tell vsftpd to use a NON-CBC mode cipher?
See the man page: "ssl_ciphers".
 
  


Reply

Tags
pci, ssl, vsftpd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
rhel 5.8 / apache 2.4.3 / openssl 0.9.8x / PCI Compliance / compile from source cwyble Red Hat 2 09-03-2012 12:09 PM
LXer: Instituting 'Defense in Depth' for PCI Compliance on a Linux Platform LXer Syndicated Linux News 0 04-24-2011 06:00 AM
PCI Compliance problem. Domain & SLL Certifacate Resolve to server Port 8443 iplayoldmarshalls Linux - Server 4 01-21-2011 11:29 PM
[SOLVED] mod_security and PCI-DSS compliance with Breach Security's Enhanced Rule Set rsciw Linux - Security 2 07-21-2010 04:18 AM
apache 2.2.3 / RHEL 5 / PCI Compliance / openssl sowell Linux - Server 2 12-09-2009 09:26 AM


All times are GMT -5. The time now is 07:10 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration