To fix a PCI-DSS scan vulnerability report on our secondary DNS servers, we have set in Webmin Configuration / SSL Encryption / SSL protocol version to 3 instead of the default "Detect automatically".
Btw, default should be 3 or higher, and v2 should be phased out for security reasons ;-)
I had trouble finding an old browser with v2 when i set 2 and got locked out. And ofc that didn't support the strong PCI ciphers "HIGH:-SSLv2:-aNULL". So i could unlock myself by editing the last line of /etc/webmin/miniserv.conf and then restarting webmin by ssh.
From then on, webmin clustering stopped working !
Indeed, it looks like in Webmin / Webmin / Webmin Servers Index / edit / SSL server? Yes
Gives a valid Server status Running Webmin 1.560 instead of Timeout ONLY IF the remote server accepts also SSL v2 (but v3 cyphers is ok).
Looks like a security issue to me...
I searched for an hour to switch the webmin RPC clustering to SSL v3, but didn't find anywhere such a setting.
v2 should really be phased out in webmin too. All browsers phased it out since quite some releases.
Filing it as a bug, as it's a security issue imho.
Comments
Submitted by JamieCameron on Fri, 10/14/2011 - 16:42 Comment #1
Instead of selecting SSL version 3, have you instead tried changing the "Allowed SSL ciphers" to "Only strong PCI-compliant ciphers" ? In Webmin 1.570, this prevents use of SSLv2 ... and in my tests, works fine with clustering.
Submitted by beat on Fri, 10/14/2011 - 18:01 Comment #2
"Allowed SSL ciphers" to "Only strong PCI-compliant ciphers" is same imho as limitting ciphers to: "HIGH:-SSLv2:-aNULL"
However there is a PCI scan test that fails if in the Webmin Configuration / SSL Encryption / SSL protocol is set to the default "Detect automatically" instead set to version to 3 instead.
And there is indeed a difference for webmin too: if you put "Detect automatically" then the Webmin RPC over SSL work fine, but not if you set version 3...
Submitted by JamieCameron on Fri, 10/14/2011 - 20:30 Comment #3
What is this PCI test that fails exactly?