A new beta release

Lee Sharp
Administrator

Posts: 522

A new beta release Aug 17, 2015 1:10:50 GMT yanqian and lowkey101 like this

Quote

Post by Lee Sharp on Aug 17, 2015 1:10:50 GMT

There is a new beta release with all new SNMP installed. We went from ucd-snmp 4.2.7.1 to net-snmp 5.7.3 to allow things like snmp v2 and 64 bit network counters. It also may have fixed some long standing issues graphing memory and CPU. It also has the missing gif in the firewall rules, and some versions notes fixed in the SVN.

Could use some testing!

www.smallwall.org/downloads/generic-pc-1.8.4b9.img
www.smallwall.org/downloads/generic-pc-serial-1.8.4b9.img
www.smallwall.org/downloads/generic-pc-1.8.4b9.iso

beedsley
New Member

Posts: 4

A new beta release Oct 14, 2015 19:38:53 GMT

Quote

Post by beedsley on Oct 14, 2015 19:38:53 GMT

When I test this version with www.ssllabs.com/ssltest/, I get a grade of F, specific to SSL testing we get:

Protocols
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3 No
SSL 2 INSECURE Yes

Any thoughts on how to configure SmallWall to get the following response on SSL?:

Protocols
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 No
SSL 2 No

Also, here is the additional info recieved:

Protocol Details

Secure Renegotiation Supported

Secure Client-Initiated Renegotiation Supported DoS DANGER (more info)

Insecure Client-Initiated Renegotiation No

BEAST attack Not mitigated server-side (more info) TLS 1.0: 0x9

POODLE (SSLv3) No, SSL 3 not supported (more info)

POODLE (TLS) No (more info)

Downgrade attack prevention Unknown (requires support for at least two protocols)

SSL/TLS compression No

RC4 Yes WEAK (more info)

Heartbeat (extension) No

Heartbleed (vulnerability) No (more info)

OpenSSL CCS vuln. (CVE-2014-0224) No (more info)

Forward Secrecy No WEAK (more info)

Next Protocol Negotiation (NPN) No

Session resumption (caching) No (IDs assigned but not accepted)

Session resumption (tickets) Yes

OCSP stapling No

Strict Transport Security (HSTS) No

Public Key Pinning (HPKP) No

Long handshake intolerance No

TLS extension intolerance No

TLS version intolerance No

Incorrect SNI alerts No

Uses common DH primes No, DHE suites not supported

DH public server param (Ys) reuse No, DHE suites not supported

SSL 2 handshake compatibility Yes

Last Edit: Oct 14, 2015 19:41:29 GMT by beedsley

Lee Sharp
Administrator

Posts: 522

A new beta release Oct 14, 2015 21:26:36 GMT

Quote

Post by Lee Sharp on Oct 14, 2015 21:26:36 GMT

Not surprised at all. Keep in mind that we use a self signed certificate. That will set off a bunch of warning bells anyway, but even if I bought a real one it would be insecure on the first release. You have the server and access to it so you have the keys the second I release them!

However, you can add your own certificates, and a good and secure certificate will improve that grade3 a lot!
(If anyone is doing this, I would LOVE to see a comparison!)

As for some of the other issues, it is because we are still on an older version of FreeBSD. When we go to 10.2 it will fix more...

All that aside, why did you open your firewall up to the internet at large anyway? If you are thinking security, just leave the inward face open, and use VPN.

beedsley
New Member

Posts: 4

A new beta release Oct 14, 2015 21:51:16 GMT

Quote

Post by beedsley on Oct 14, 2015 21:51:16 GMT

Agreed, allowing specific IP's for 443 is an excellent practice.

We support a lot of locations that are not related, so supporting that many VPN's isn't really feasible.

Was hoping there was a simple way to disable SSL2 and TLS 1.0, and enable TLS 1.2.

Thoughts?

Last Edit: Oct 15, 2015 0:58:44 GMT by beedsley

Lee Sharp Administrator Posts: 522	A new beta release Oct 15, 2015 2:51:26 GMT Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by Lee Sharp on Oct 15, 2015 2:51:26 GMT I have not even looked into it, to be honest.

sami
New Member

Posts: 9

A new beta release Oct 23, 2015 20:31:04 GMT

Quote

Post by sami on Oct 23, 2015 20:31:04 GMT

Hello!

It seems that Smallwall is using mini_httpd ver 1.21 from ACME Labs.
$ /usr/local/sbin/mini_httpd -V
mini_httpd/1.21 18oct2014

Note: There is a quite recent note about security issue related to this version. See: web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1548

But, based on my quick tests, this mini_httpd seems to have been compiled with openssl older than 1.0.2d. If I compile openssl-1.0.2d, I can use it and try to make connection like:
./apps/openssl s_client -connect www.google.com:443 -tls1_2
./apps/openssl s_client -connect www.google.com:443 -tls1_1
./apps/openssl s_client -connect www.google.com:443 -tls1

With OpenSSL 0.9.8zd only the last one works, but not the tls1_1 or tls1_2.

So, there is no command line option to enable tls1_1/tls1_2 on smallwall. Only way to use those is to recompile newest openssl and newest mini_httpd.

On the other hand, to have protocol support enable like beedsley mentioned, this needs to done while compiling the openssl and mini_httpd.

Any comments from Lee?

Lee Sharp
Administrator

Posts: 522

A new beta release Oct 23, 2015 21:35:07 GMT

Quote

Post by Lee Sharp on Oct 23, 2015 21:35:07 GMT

Sigh... I have a list of software that needs to be updated in SmallWall, and I just went through it a while ago and mini_httpd was current then.

Of the short package list, here it was as of today;

dnsmasq-2.66.tar.gz Current dnsmasq-2.75 www.thekelleys.org.uk/dnsmasq/doc.html
ez-ipupdate-3.0.11b8.tar.gz Current ez-ipupdate-3.0.11b8-13.4.dsc (Need to update yourself)
ip_fil4.1.34.tar.gz -> ip_fil5.1.2.tar.gz (Fixed in 10)
modem-stats-1.0.1.src.elf.tar.gz (Still needed?)
nsupdate -> dudders-1.04.tar.bz2 (Fixed in 10)
php-4.4.9.tar.bz2 Current php55-5.5.28
radius-1.2.5.tgz Current radius-1.2.7.tgz pecl.php.net/package/radius

Fixed
mini_httpd-1.21 Current acme.com/software/mini_httpd/
net-snmp-5.7.3

This does not include openssl which I am not sure if I can update within FreeBSD8 and still have everything work. Note that as listed above, a lot of things are fixed in 10, but it is not yet ready for prime time. However, the fix I am looking for is a way to lock down mini_httpd directly without having to open the can of worms that is openssl yet. And, of course, testing mini_httpd 1.22 now. I hope it is a drop in. (But with the extensive patching, I doubt it...)

And right now I am in the middle of massively updating ez-ipupdate. It would be nice if a few services in the list still existed.

watercooled
Junior Member

Posts: 12

A new beta release Nov 5, 2015 1:45:38 GMT

Quote

Post by watercooled on Nov 5, 2015 1:45:38 GMT

Hi,

I've not long installed the new beta as I think the 64 bit interface counters could come in useful, but I've just checked and it looks like they're still rolling over at around the 4GB mark. Is there an option I need to enable somewhere or are you referring to different counters?

Thanks

Lee Sharp Administrator Posts: 522	A new beta release Nov 5, 2015 5:06:37 GMT Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by Lee Sharp on Nov 5, 2015 5:06:37 GMT Are you looking at the 64 bit counters, or the old 32 bit counters? What is the ODI you are reading?

A new beta release

Post by Lee Sharp on Aug 17, 2015 1:10:50 GMT

Post by beedsley on Oct 14, 2015 19:38:53 GMT

Post by Lee Sharp on Oct 14, 2015 21:26:36 GMT

Post by beedsley on Oct 14, 2015 21:51:16 GMT

Post by Lee Sharp on Oct 15, 2015 2:51:26 GMT

Post by sami on Oct 23, 2015 20:31:04 GMT

Post by Lee Sharp on Oct 23, 2015 21:35:07 GMT

Post by watercooled on Nov 5, 2015 1:45:38 GMT

Post by Lee Sharp on Nov 5, 2015 5:06:37 GMT