Overview
When running the PCI Scan Security Report, you might get the following medium vulnerability:
Host is Vulnerable to Extended Master Secret TLS Extension (TLS triple handshake) |
This article provides the steps on how to address this vulnerability in Kerio Control version 1.0.2j.
Prerequisite
Access to Kerio Control via SSH
Root Cause
Kerio Control is using the OpenSSL Linux library. This vulnerability should be fixed in this commit by OpenSSL, which will be included in version 1.1.1.
Workaround
-
Make the disk writable by using the following command:
mount -o remount,rw /
-
Replace the
/etc/ssh/sshd_config
file content with the contents of the suggested_sshd_config.txt file (see attachment below). -
Execute the following commands:
/etc/boxinit.d/31ssh stop
/etc/boxinit.d/31ssh start
mount -o remount,ro /
Explanation and Final Considerations
The following are the changes that you will find in the new ssh_config file:
-
The
HostKey /var/ssh/ssh_host_dsa_key
line has been commented out. -
The following lines have been added to the last part of the sshd_config file:
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
The issue should be fully fixed after upgrading the OpenSSL library in Kerio Control.
Attachment