Results 1 to 7 of 7

Thread: OpenVPN and SSL

  1. #1
    Untangler
    Join Date
    Oct 2007
    Posts
    72

    Default OpenVPN and SSL

    Hello and as always, thank you for taking the time to answer this post.

    My customer's PCI Compliance Provider "failed" them stating that an "Self-Signed (Untangle default) was assigned to port 1194. As I have disabled https access to the Untangle and only access it via OpenVPN I didn't feel the need to install an SSL provider's certificate.

    My question is, if I install an SSL under the CONFIG>>ADMINISTRATION>>CERTIFICATES will it the cover whatever the PCI Compliance Provider's issue?

    Thank you

  2. #2
    Untangler
    Join Date
    Oct 2007
    Posts
    72

    Default

    Still looking forward to any thoughts on the topic.

    Thank you

  3. #3
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,729

    Default

    Certs in /admin/index.do#config/administration/certificates is only for administrative GUI, IPsec, SMTPS, or RADIUS connections. OpenVPN certificates are unique pairs for each user since it uses certificate based authentication so this will never pass PCI scan. If PCI scan is a requirement, an exception will be needed to be files with the scanner.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,234

    Default

    Yeah, the certificate on Untangle's OpenVPN interface is self signed, and part of a self trusted authority that can produce all the certificates needed for all the clients.

    This trust chain will never be publicly trusted, nor should it be so.

    This error is false, the scanner shouldn't even care about OpenVPN as a service. The compliance provider should be told to... How shall I put it... Pound sand? That's probably the most forum friendly way to say that.
    mahotz likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangler
    Join Date
    Jul 2018
    Posts
    38

    Default

    You could always temporarily disable the 'allow OpenVPN' Access Rule & run the scan again. That port will be closed, so the scan will pass. Re-enable the Access Rule once it's done and resume normal operation.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,234

    Default

    Quote Originally Posted by gravenscroft View Post
    You could always temporarily disable the 'allow OpenVPN' Access Rule & run the scan again. That port will be closed, so the scan will pass. Re-enable the Access Rule once it's done and resume normal operation.
    And that would be in direct violation of scanning protocol, and the law in some places.
    donhwyo and tjk like this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangler
    Join Date
    Oct 2007
    Posts
    72

    Default

    Thank you everyone as always. You've all provided great clarity to the issue. I did ask (and was granted) an exception.

    Thank you again.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2