Menu
▾
▴
Group
- 0.82
- 0.85
- 0.86
- 0.91
- 0.92
- 0.93
- 0.950
- 0.970
- 0.980
- 0.990
- 1.000
- 1.020
- 1.030
- 1.040
- 1.050
- 1.060
- 1.070
- 1.080
- 1.090
- 1.100
- 1.110
- 1.120
- 1.130
- 1.140
- 1.150
- 1.160
- 1.170
- 1.180
- 1.190
- 1.200
- 1.210
- 1.220
- 1.230
- 1.240
- 1.250
- 1.260
- 1.270
- 1.280
- 1.300
- 1.330
- 1.340
- 1.350
- 1.370
- 1.400
- 1.410
- 1.420
- 1.430
- 1.440
- 1.450
- 1.470
- 1.480
- 1.490
- 1.500
- 1.510
- 1.520
- 1.530
- 1.540
- 1.550
- 1.560
- 1.570
- 1.580
- 1.590
- 1.600
- 1.610
- 1.620
- 1.630
- All
- Other
- 1.640
- 1.650
- 1.660
- 1.670
- 1.680
- 1.690
- 1.700
- 1.710
- 1.720
- 1.730
- 1.740
- 1.750
- 1.760
- 1.770
- 1.780
- 1.790
- 1.791
- 1.800
- 1.801
- 1.810
- 1.820
- 1.830
- 1.840
- 1.850
- 1.860
- 1.870
- 1.880
- 1.890
- 1.900
- 1.910
- 1.920
- 1.930
- 1.940
- 1.950
- 1.960
- 1.962
- 1.970
- 1.972
- 1.973
- 1.974
- 1.979
- 1.980
- 1.981
- 1.982
- 1.983
- 1.984
- 1.990
- 1.991
- 1.993
- 1.994
- 1.995
- 1.996
- 1.997
- 1.998
- 1.999
- 2.000
- 2.003
- 2.010
- 2.011
- 2.012
- 2.013
- 2.020
- 2.021
- 2.100
- 2.101
- 2.102
- 2.103
- 2.104
- 2.105
- 2.110
- 2.111
- 2.200
- 2.201
- 2.202
- 2.300
- 2.302
- 2.303
- 2.400
- 2.401
- 2.402
- 2.500
- 2.501
- 2.510
- 2.520
- 2.600
- 2.610
- 2.620
- 2.621
Tls renegotiation vulnerability
Can you provide some more details on this vulnerability?
Recent versions of Webmin disable old SSL versions by default on new installs.
does it support TLS v1.2?
we need urgently to close TLSv1.0 findings on webmin.
the latest version does address?
any update?
Yes, the 1.750 release of Webmin lets you disable older SSL versions at Webmin -> Webmin Configuration -> SSL Encryption.
does it support TLS 1.2?
If you disable SSL versions 2 and 3, only TLS 1.2 will remain.
I only need TLS1.2.
If I disabled SSLv2,v3 the version it does show TLS1.0.
I only want to have TLS 1.2.
Please advise
can advise please...
So right now in Webmin there is no option to disable TLS 1.0, 1.1 or 1.2 entirely.
However, it may be possible to do what you want via the cipher list. Which specific vulnerability are you looking to defend against?
The remote service encrypts traffic using TLS / SSL but allows a client to insecurely renegotiate the connection after the initial handshake. An unauthenticated, remote attacker may be able to leverage this issue to inject an arbitrary amount of plaintext into the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks if the service assumes that the sessions before and after renegotiation are from the same 'client' and merges them at the application layer.
CVE : CVE-2009-3555
tcp 10000
TLSv1 supports insecure renegotiation.
can you advise if there is any fix released or config update needed for this?
Ok, I have checked in this fix https://github.com/webmin/webmin/commit/2b77e8f020f3dabab059694f7045a9ae59ee28fd to add options to disable TLS v1, 1.1 or 1.2. These should all you to disable this vulnerability.
That's a pretty old CVE though - does it rely on the client only making a TLS v1 connection in the first place?
Hi Jamie,
are you able to confirm, if there is a package that comes with by default SSL2,SSL3 & TLS v1 disabled so we can install?
Any config changes required?
The latest Webmin release allows these old SSL versions to be disabled.
it is it by default? of need to disable with additional config?
whats the config required?
the earlier recommendation by you didn't have option to disable TLS v1
Whats the version of webmin that allow disabling TLSv1?
The current release (1.760) allows disabling of TLS v1. The next release (1.770) will disable it by default at install time.
Hi Jamie,
can you confirm if by default, the latest webmin version disable TLS1.0 and TLS1.1 and only enable TLS1.2?
The current release disables TLS 1.0, 1.1 and SSL v2 and v3 by default for new installs.
Hi Jamie,
For existing installations, how do we force use TLS1.2?
From: Jamie Cameron [mailto:jcameron@users.sf.net]
Sent: Saturday, 11 February 2017 7:37 AM
To: [webadmin:bugs] 4590@bugs.webadmin.p.re.sf.net
Subject: [webadmin:bugs] #4590 TLS renegotiation vulnerability webmin
The current release disables TLS 1.0, 1.1 and SSL v2 and v3 by default for new installs.
[bugs:#4590]https://sourceforge.net/p/webadmin/bugs/4590/ TLS renegotiation vulnerability webmin
Status: open
Group: 1.740
Created: Mon Apr 27, 2015 07:30 AM UTC by Balakrishna
Last Updated: Fri Feb 10, 2017 08:46 AM UTC
Owner: nobody
Hi,
Due to recent ssl and tls renegotiation vulnerabilities we were able to address ssl with ssl3 disable but how to fix tls renegotiated as this is the only left supported ssl now
Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/webadmin/bugs/4590/
To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/
Disclaimer
This email (and any attachments) are intended solely for the named addressee(s) only. It contains confidential and/or privileged information. If you are not the intended recipient or have received this email in error, you must not copy, distribute, disclose or take any action in reliance on any part of it. In such case, you should inform us immediately and delete this email (and any attachments).
You can control allowed protocols and ciphers at Webmin -> Webmin Configuration -> SSL Encryption.