Phone Lines icon GFI Support Home

Articles in this section

TLS Triple Handshake Vulnerability

Author: Vladyslav Velychko Updated

Overview

 

When running the PCI Scan Security Report, you might get the following medium vulnerability:

Host is Vulnerable to Extended Master Secret TLS Extension (TLS triple handshake)

mceclip0.png

 

This article provides the steps on how to address this vulnerability in Kerio Control version 1.0.2j.

 

Prerequisite

 

Access to Kerio Control via SSH

 

Root Cause

 

Kerio Control is using the OpenSSL Linux library. This vulnerability should be fixed in this commit by OpenSSL, which will be included in version 1.1.1.

 

Workaround

 

  1. Log in to Kerio Control using SSH.

  2. Make the disk writable by using the following command:

    mount -o remount,rw /

  3. Replace the /etc/ssh/sshd_config file content with the contents of the suggested_sshd_config.txt file (see attachment below).

  4. Execute the following commands:

    /etc/boxinit.d/31ssh stop

    /etc/boxinit.d/31ssh start

    mount -o remount,ro /

 

Explanation and Final Considerations

 

The following are the changes that you will find in the new ssh_config file:

  • The HostKey /var/ssh/ssh_host_dsa_key line has been commented out.

  • The following lines have been added to the last part of the sshd_config file:

    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

The issue should be fully fixed after upgrading the OpenSSL library in Kerio Control.

 

back to top

Attachment

 

Related articles