Webmin servers RPC uses insecure SSL v2 instead of v3 : Blocks secondary DNS/mailservers updates when secondary DNS is PCI-DSS

To fix a PCI-DSS scan vulnerability report on our secondary DNS servers, we have set in Webmin Configuration / SSL Encryption / SSL protocol version to 3 instead of the default "Detect automatically".

Btw, default should be 3 or higher, and v2 should be phased out for security reasons ;-)

I had trouble finding an old browser with v2 when i set 2 and got locked out. And ofc that didn't support the strong PCI ciphers "HIGH:-SSLv2:-aNULL". So i could unlock myself by editing the last line of /etc/webmin/miniserv.conf and then restarting webmin by ssh.

From then on, webmin clustering stopped working !

Indeed, it looks like in Webmin / Webmin / Webmin Servers Index / edit / SSL server? Yes

Gives a valid Server status Running Webmin 1.560 instead of Timeout ONLY IF the remote server accepts also SSL v2 (but v3 cyphers is ok).

Looks like a security issue to me...

I searched for an hour to switch the webmin RPC clustering to SSL v3, but didn't find anywhere such a setting.

v2 should really be phased out in webmin too. All browsers phased it out since quite some releases.

Filing it as a bug, as it's a security issue imho.

Status: 
Active

Comments

Instead of selecting SSL version 3, have you instead tried changing the "Allowed SSL ciphers" to "Only strong PCI-compliant ciphers" ? In Webmin 1.570, this prevents use of SSLv2 ... and in my tests, works fine with clustering.

"Allowed SSL ciphers" to "Only strong PCI-compliant ciphers" is same imho as limitting ciphers to: "HIGH:-SSLv2:-aNULL"

However there is a PCI scan test that fails if in the Webmin Configuration / SSL Encryption / SSL protocol is set to the default "Detect automatically" instead set to version to 3 instead.

And there is indeed a difference for webmin too: if you put "Detect automatically" then the Webmin RPC over SSL work fine, but not if you set version 3...

What is this PCI test that fails exactly?