I’m trying to harden up security up some more
I’ve gotten through most of the worst issues,
Does anyone have any suggestions on 2 vulnerabilities. I’m using a certificate from Entrust . one is on port 5061 and one is for the webrtc port of 8089.
For the certs I have my asterisk.key which is my private key , Then I have my asterisk.crt which is the signed cert from entrust, as will my ca.crt which in this case is my trust root chain from Entrust.
My transport is as follows
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
;cipher=ADH-AES256-SHA,ADH-AES128-SHA256,ECDHE-RSA
method=tlsv1_2
;method tlsv1_2 is support but zoiper doesn’t like it at least not currently
allow_reload = yes
;cipher=ECDHE-ECDSA-AES256-GCM-SHA384
verify_client=no
verify_server=yes
My http is set
with the
tlsenable=yes
tlsbindaddr=0.0.0.0:8089
tlsprivatekey=/etc/asterisk/keys/asterisk.key
tlscertfile=/etc/asterisk/keys/asterisk.crt
tlsdisablev1=yes
tlscipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384
tlsdisablev11=yes
[Vulnerabilities (2)(https://vulnerabilityscanning.mss.secureworks.com/images/collapse_all.gif)](javascript:collapse_b(‘3’))
[SSL Certificate - Signature Verification Failed Vulnerability](javascript:toggle_tree(‘4’)) port 8089/tcp over SSL
QID:
38173
Category:
General remote services
CVE ID:
Vendor Reference
Bugtraq ID:
Service Modified:
10/25/2018
User Modified:
Edited:
No
PCI Vuln:
Yes
THREAT:
An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server’s Certificate and extracts the Public Key in the Certificate to establish the secure connection. The authentication is done by verifying that the public key in the certificate is signed by a trusted third-party Certificate Authority.
If a client is unable to verify the certificate, it can abort communication or prompt the user to continue the communication without authentication.
IMPACT:
By exploiting this vulnerability, man-in-the-middle attacks in tandem with DNS cache poisoning can occur.
Exception:
If the server communicates only with a restricted set of clients who have the server certificate or the trusted CA certificate, then the server or CA certificate may not be available publicly, and the scan will be unable to verify the signature.
SOLUTION:
Please install a server certificate signed by a trusted third-party Certificate Authority.
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
[SSL Certificate - Signature Verification Failed Vulnerability](javascript:toggle_tree(‘5’)) port 5061/tcp over SSL
QID:
38173
Category:
General remote services
CVE ID:
Vendor Reference
Bugtraq ID:
Service Modified:
10/25/2018
User Modified:
Edited:
No
PCI Vuln:
Yes
THREAT:
An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server’s Certificate and extracts the Public Key in the Certificate to establish the secure connection. The authentication is done by verifying that the public key in the certificate is signed by a trusted third-party Certificate Authority.
If a client is unable to verify the certificate, it can abort communication or prompt the user to continue the communication without authentication.
IMPACT:
By exploiting this vulnerability, man-in-the-middle attacks in tandem with DNS cache poisoning can occur.
Exception:
If the server communicates only with a restricted set of clients who have the server certificate or the trusted CA certificate, then the server or CA certificate may not be available publicly, and the scan will be unable to verify the signature.
SOLUTION:
Please install a server certificate signed by a trusted third-party Certificate Authority.
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.