PCI Scan Fail - tcp5001 supports SSLv3 and TLS1.0

Discussion in '3CX Phone System - General' started by sjp_crs, Sep 19, 2016.

Thread Status:
Not open for further replies.
  1. sjp_crs

    Joined:
    Sep 19, 2016
    Messages:
    34
    Likes Received:
    0
    Having got our 3CX PBX running for a trial period, we have run into one problem with our external PCI Vulnerability scan.

    Apparently, the HTTPS Webserver integrated with the 3CX PBX supports SSLv3 and TLS1.0, which are automatic fails now with the new PCI DSS 3.1 standard. I can request an exception...but I'd rather not deal with that paperwork if there is a simple fix ;)

    Is there anyway to disable these, and still keep registration working for remote Iphone/Android clients ? For now, I have simply blocked 5000/5001 at the firewall, but this then breaks presence on the smartphones.

    My remote sites are thankfully all unaffected as they use IPSEC tunnels to communicate to the central location.

    Thanks for any suggestions !

    Steve
     
  2. roadwings

    Joined:
    May 16, 2015
    Messages:
    49
    Likes Received:
    14
    PCI or not I agree with what you are saying. I have also blocked 5000 & 5001 at the firewall. I do not like opening ports for no good reason. We do not have many people who need to access the PBX from outside our network and those who do use VPN because they will need access to additional resources on the network.

    I really wish that 3CX would allow much more flexibility with the IP settings, FQDN, ports and such. They said to open 5001 so that web meeting will work, but web meeting is no longer on premise (I really wish it were and used my FQDN) so why should I open myself up to hacking by opening the port to the admin console? Not a good idea in my opinion. The PCI SSL & TLS issues are of concern too. Good catch.
     
  3. sjp_crs

    Joined:
    Sep 19, 2016
    Messages:
    34
    Likes Received:
    0
    I'd even be happy if I could separate registration/presence functions and the admin console. I'm kinda suprised those use the same port, seems like that should be a simple matter of running a second web instance for the two functions internally.
     
  4. cscforce

    Joined:
    Nov 6, 2015
    Messages:
    4
    Likes Received:
    0
    I have been working on this. SSL protocols can be explicitly called out in the nginx server configuration. "\Program Files\3CX Phone System\Bin\nginx\nginx.conf" using "ssl_protocols TLSv1.1 TLSv1.2;" and changing the cipher suite to "ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';". (credit to https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html)

    This provides for PCI compliance and effectively disables TLS 1.0. The Android version of the 3cx phone app still works with presence. The problem with this solution is the windows 3cx app then will not connect. I believe the problem to be that the Windows app does not support TLS 1.1 or TLS 1.2. Any help would be appreciated from 3CX (like a windows app update! :mrgreen: )
     
  5. sjp_crs

    Joined:
    Sep 19, 2016
    Messages:
    34
    Likes Received:
    0
    Figures...fix one thing, break another. Is it just remote Windows clients that break, or local-subnet ones too (I'm working remote today, so I cant easily check in the office where I'm testing!!)
     
  6. cscforce

    Joined:
    Nov 6, 2015
    Messages:
    4
    Likes Received:
    0
    Unfortunately it breaks local's too.
     
  7. andreaschr

    andreaschr Support Team
    Staff Member 3CX Support

    Joined:
    Oct 26, 2015
    Messages:
    93
    Likes Received:
    6
    Hi
    SSLv3 is not supported and we do not use it in our nginx configuration.
    I can ensure you that our configuration is secure.
    You can check it on https://www.ssllabs.com/ssltest.
    You will have rate A+ .
     
  8. sjp_crs

    Joined:
    Sep 19, 2016
    Messages:
    34
    Likes Received:
    0
    1. SSLv3 is a mistake on my part - the original report I had stated both TLS1.0 and SSLv3
    2. My Admin port runs on 5001, not 443, and SSLLabs won't let me test on 5001 and I already have a site on 443. However, a number of other test sites all indicate that TLS1.0 is supported via port 5001, including my PCI Verification authority, Trustwave.
    3. TLS1.0 is no longer acceptable for PCI compliance. TLS1.0 is enabled in nginx by default unless you turn it off.
    4. Turning off TLS1.0 causes all the Windows clients to lose registration/presence. Android clients continue to work.
    5. Blocking port 5001 from the internet solves the PCI compliance, but breaks presence for Android clients.
     
  9. sjp_crs

    Joined:
    Sep 19, 2016
    Messages:
    34
    Likes Received:
    0
    Still hoping for something here ;)
     
  10. dfw185012

    Joined:
    Oct 4, 2016
    Messages:
    1
    Likes Received:
    0
    Here's a thought :D

    Find a router that support Remote Access VPN, configure the phones to use there built in VPN clients to connect to the network. Close the 5000 5001 ports to the internet and leave TLS 1.0 operational. That way the ports do not show on PCI compliance scan, users and connect via their phones over the VPN and local users are not affected at all.

    A little out of the box thinking, not the easiest solution but, I have implemented this solution for clients with the same issues using other phone systems in the past. Biggest downside is training users on VPN client usage and making sure they connect before opening the client.
     
  11. sjp_crs

    Joined:
    Sep 19, 2016
    Messages:
    34
    Likes Received:
    0
    The VPN solution is workable, and my firewalls support it - but it seems silly to have to jump through all these hoops to solve what should be a simple update to the windows client to support TLS 1.2. The Android and Iphone clients already do, and NGINX certainly does. The client appears to use the OpenSSL libraries...I can't see why this is that difficult.

    I'm lucky right now that I don't have a lot of Android/Iphone users, and we don't have any sort of remote presence today, so it's not like they are going to lose any functionality. The client can still make and receive calls without issue...it's just the presence that seems to get broken by blocking the ports.

    It would be nice to get some sort of response from 3CX on the issue - even if it's 'huh, didn't think of that, we'll add it to the list for SP3' or whatever.
     
  12. norekhov

    3CX Support

    Joined:
    Jan 31, 2014
    Messages:
    53
    Likes Received:
    1
    There's a fix for Windows 3CXPhone clients to use TLS 1.2 since clients rely on .NET defaults.

    You have to options.
    1. Set SchUseStrongCrypto on a client machine and TLS 1.2 will be enabled. See how to do it here http://stackoverflow.com/questions/28286086/default-securityprotocol-in-net-4-5

    2. Update .NET to 4.6 and TLS 1.2 will be enabled. Remember that .NET 4.5 is no longer supported by Microsoft while 3CXPhone still can use it.

    Of course 3rd option will be to enable it in the 3CXPhone itself. We'll discuss it.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. sjp_crs

    Joined:
    Sep 19, 2016
    Messages:
    34
    Likes Received:
    0
    Awesome. I will try this tomorrow and report back. Being able to give the boss presence detail on his Smartphone, and still keeping the PCI compliance will make everyone very happy ;)

    Thanks !
     
  14. sjp_crs

    Joined:
    Sep 19, 2016
    Messages:
    34
    Likes Received:
    0
    Tried this this morning, and it worked !

    Caveat - You do need to make 2 entries in the registry even if you are running 4.6.2 (at least in my experience).
    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
    "SchUseStrongCrypto"=dword:00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
    "SchUseStrongCrypto"=dword:00000001
    
    You can then add the following line to the nginx.conf file :
    Code:
    ssl_protocols TLSv1.1 TLSv1.2; 
    
    Having done that, I restarted the windows client, and I was able to connect and get presence information. My Android clients can also get presence, and I ran a PCI Vulnerability scan after opening the external ports :
    Code:
    TLS v1.2 	Supported   Immune to TLS POODLE attack  	
    TLS v1.1 	Supported   Immune to TLS POODLE attack  	
    TLS v1.0 	Not Supported   Immune to TLS POODLE attack  	
    SSL v3.0 	Not Supported   Immune to SSLv3 POODLE attack  	
    SSL v2.0 	Not Supported   Immune to DROWN attack 
    
    So, no TLSv1.0, no SSLv3.0, no SSL v2.0, All the clients can talk to the PBX, all the presence works. Happy Campers all round :)

    Thanks !!
    Steve
     
  15. roadwings

    Joined:
    May 16, 2015
    Messages:
    49
    Likes Received:
    14
    You should work at 3CX and be in upper management.
     
Thread Status:
Not open for further replies.