Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL Warnings

I hace an SFTP server in my DMZ. There's a DNAT entry and firewall policy allowing access from Internet IPV4 using port 22 to the server. No other ports are open. No SSL cert is installed on the server.

When we run a Pen test from outside the company, it's throwing a bunch of SSL errors. 

SSL Certificate Cannot Be Trusted, SSL Certificate with Wrong Hostname, SSL Self-Signed Certificate

Turns out, the scanner is returning info from the UTM's SSL cert. How do I fix this?

 



This thread was automatically locked due to age.
Parents
  • You will have to install a publicly recognizable certificate which can cost money.

    There are however, free variants:

    1. Letsencrypt

    2. Startssl (free but you will have to renew every year)

  • I don't think that will fix the problem. The name of the UTM still won't match the name of the SFTP server.

    I'm wondering what policy will force the tester to look the server.

  • On which open port is it detecting the certificate?  UTM is known to open ports that are not wanted, notably SMTP proxy opens port 25 on all confogured addresses.  

  • The name of the UTM doesn't have to match the server. Think of webservers. They can have multiple certificates but many can reside on one host.

    If you have a host called utm.mydomain.com at 1.1.1.1 and it has a certificate loaded into it called ftp.mydomain.com, as long as ftp.mydomain.com is mapped to 1.1.1.1, the browser will not complain. It will complain however if you type in utm.mydomain.com because it doesn't have the matching certificate.
    If you need multiple certificates eg for sftp, you will need additional public ip addresses rather than using the utm interface certificate

    Would I be right in assuming you are only using one public ip address?

  • No, we have a number of public IPs. The server is using an IP that's used for nothing else and the only port allowed through is 22.

  • I would think the pentest simply uses the external IP of the UTM for it's warnings, not port 22.

    Would be interesting on which ports/protocols it complains about using a self-signed certificate? Is eventually user portal active for Any IPv4? Or WebAdmin allowed from anywhere outside (what would be a definately a "DON'T DO THAT")?

    Those services use a self-signed certificate if you didn't upload a signed one.

    Normally, SSH/SFTP doesn't use any x509 certificates but rsa keys that must be known to the SSH server to allow connection or not.

    SSH uses encryption for authentication/login, SSL for transportation to be trusted.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

Reply
  • I would think the pentest simply uses the external IP of the UTM for it's warnings, not port 22.

    Would be interesting on which ports/protocols it complains about using a self-signed certificate? Is eventually user portal active for Any IPv4? Or WebAdmin allowed from anywhere outside (what would be a definately a "DON'T DO THAT")?

    Those services use a self-signed certificate if you didn't upload a signed one.

    Normally, SSH/SFTP doesn't use any x509 certificates but rsa keys that must be known to the SSH server to allow connection or not.

    SSH uses encryption for authentication/login, SSL for transportation to be trusted.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

Children