Crossposted using Lemmit.
Original post from /r/cybersecurity by /u/plump-lamp on 2023-07-06 21:07:29+00:00.
Our vulnerability scanner indicates an internally hosted & internal only site allows TLS 1.0. It does not because we have disabled SSL3/TLS1/TLS 1.1 via IIS Crypto (win svr 2019). I ran an openssl test for 1.0 connectivity which confirmed correct:
openssl s\client -connect xxx.xxx.xxx:443 -tls1)
CONNECTED(000001BC)
3C360000:error:0A0000BF:SSL routines:tls\setup_handshake:no protocols available:ssl\statem\statem_lib.c:104:)
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
New, (NONE, Cipher is (NONE))
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
When I inquired to support as to if this is a false positive they responded with:
The protocol might be disabled as per the command you run, but please note that the protocol is enabled on the certificate itself that was presented by the client. The scanner looks at the certificate details and find tls1.0 enabled at the cert which therefor flag the vulnerability. You can submit another CSR having tls1.0 protocol disabled or delete the cert from the system if it isn’t being used.
We issue certs via our internal msft cert authority. Is this still a valid actual vulnerability based on their response? Can you even control which TLS protocols certificates allow? This isn’t something I have ever heard of