Keith Owen
asked on
Compliance check help
We had to run a compliance check for the computer system and it failed. The following are notes given to rectify the faults.
I am unsure what they are and what to do, any help will be much appreciated.
1.Disable SSLv3 support to avoid this vulnerability.
Examples to disable SSLv3.
nginx: list specific allowed protocols in the "ssl_protocols" line. Make sure SSLv2 and SSLv3 is not listed. For example: ssl_protocols TLSv2 TLSv1.1 TLSv1.2;
Apache: Add -SSLv3 to the "SSLProtocol" line.
2.An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection.
The client can trust that the Server Certificate belongs the server only if it is signed by a mutually trusted third-party Certificate Authority (CA). Self-signed certificates are created generally for testing purposes or to avoid paying third-party CAs. These should not be used on any production or critical servers.
3. Customers are advised to install OpenSSL versions 0.9.8za, 1.0.0m, 1.0.1h or later to remediate this vulnerability.
For embedded systems, please contact the embedded system vendor for updates.
4.RDP needs to be configured to use strong encryption methods or use SSL as the privacy and integrity provider.
Thanks In advance.
I am unsure what they are and what to do, any help will be much appreciated.
1.Disable SSLv3 support to avoid this vulnerability.
Examples to disable SSLv3.
nginx: list specific allowed protocols in the "ssl_protocols" line. Make sure SSLv2 and SSLv3 is not listed. For example: ssl_protocols TLSv2 TLSv1.1 TLSv1.2;
Apache: Add -SSLv3 to the "SSLProtocol" line.
2.An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection.
The client can trust that the Server Certificate belongs the server only if it is signed by a mutually trusted third-party Certificate Authority (CA). Self-signed certificates are created generally for testing purposes or to avoid paying third-party CAs. These should not be used on any production or critical servers.
3. Customers are advised to install OpenSSL versions 0.9.8za, 1.0.0m, 1.0.1h or later to remediate this vulnerability.
For embedded systems, please contact the embedded system vendor for updates.
4.RDP needs to be configured to use strong encryption methods or use SSL as the privacy and integrity provider.
Thanks In advance.
Is the OS a linux variant or a Windows machine?
ASKER
Windows server 2012 R2
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the comments, I will have a proper read through over the weekend.
As per advised for consideration.
ASKER
Ok I have a update for this.....any replies please make is simple as I am not very good in this area :)
Do I close port 50001 ?
unnamed.jpg
Do I close port 50001 ?
unnamed.jpg
If you need ssl, you will need the port. It looks like it is more of your server that have yet to be harden to upgrade openssl to latest.
Suggest you open up another new question for follow up queries. Thanks.
Suggest you open up another new question for follow up queries. Thanks.
ASKER
Ok thanks