OpenVPN and SSL

**Nicolus** · 07-12-2021, 06:58 AM

Hello and as always, thank you for taking the time to answer this post.

My customer's PCI Compliance Provider "failed" them stating that an "Self-Signed (Untangle default) was assigned to port 1194. As I have disabled https access to the Untangle and only access it via OpenVPN I didn't feel the need to install an SSL provider's certificate.

My question is, if I install an SSL under the CONFIG>>ADMINISTRATION>>CERTIFICATES will it the cover whatever the PCI Compliance Provider's issue?

Thank you

**Nicolus** · 07-28-2021, 12:23 PM

Still looking forward to any thoughts on the topic.

Thank you

**jcoffin** · 07-28-2021, 12:51 PM

Certs in /admin/index.do#config/administration/certificates is only for administrative GUI, IPsec, SMTPS, or RADIUS connections. OpenVPN certificates are unique pairs for each user since it uses certificate based authentication so this will never pass PCI scan. If PCI scan is a requirement, an exception will be needed to be files with the scanner.

**sky-knight** · 07-28-2021, 01:02 PM

Yeah, the certificate on Untangle's OpenVPN interface is self signed, and part of a self trusted authority that can produce all the certificates needed for all the clients.

This trust chain will never be publicly trusted, nor should it be so.

This error is false, the scanner shouldn't even care about OpenVPN as a service. The compliance provider should be told to... How shall I put it... Pound sand? That's probably the most forum friendly way to say that.

**gravenscroft** · 07-30-2021, 05:09 AM

You could always temporarily disable the 'allow OpenVPN' Access Rule & run the scan again. That port will be closed, so the scan will pass. Re-enable the Access Rule once it's done and resume normal operation.

**sky-knight** · 07-30-2021, 06:53 AM

Originally Posted by gravenscroft

You could always temporarily disable the 'allow OpenVPN' Access Rule & run the scan again. That port will be closed, so the scan will pass. Re-enable the Access Rule once it's done and resume normal operation.

And that would be in direct violation of scanning protocol, and the law in some places.

**Nicolus** · 08-01-2021, 09:13 AM

Thank you everyone as always. You've all provided great clarity to the issue. I did ask (and was granted) an exception.

Thank you again.

Thread: OpenVPN and SSL

LinkBack

Thread Tools

OpenVPN and SSL

Tags for this Thread

Posting Permissions