I just recently ran a security audit of my network, and got multiple warnings all due to some weak SSL/TLS configuration on the admin interface.
5.0 (Medium) SSL/TLS: Report Vulnerable Cipher Suites for HTTPS
4.3 (Medium) SSL/TLS: Report Weak Cipher Suites
4.3 (Medium) SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability
4.3 (Medium) jQuery < 3.4.0 Object Extensions Vulnerability
Unfortunately I was not able to pinpoint the configuration file for the turris administration web interface. So maybe one of you can point me out where it is. I’ll be happy to create a pull request for a hardened configuration.
Here follow the details for all the issues above.
SSL/TLS: Report Vulnerable Cipher Suites for HTTPS
‘Vulnerable’ cipher suites accepted by this service (443/tcp)
Solution: The configuration of this services should be changed so that it does not accept the listed cipher suites anymore.
SSL/TLS: Report Weak Cipher Suites
‘Weak’ cipher suites accepted by this service (443/tcp)
Solution: The configuration of this services should be changed so that it does not accept the listed weak cipher suites anymore.
SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability
The SSL/TLS service uses Diffie-Hellman groups with insufficient strength (key size < 2048).
Solution: Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE) or use a 2048-bit or stronger Diffie-Hellman group
Device: Turris Omnia
Turris OS version: 3.11.16
Kernel version: 4.4.187-a890a5a94ebb621f8f1720c24d12fef1-0
foris version: 100.3-3.6-1