Nessus Scanner reporting Medium Vulnerability on SSL Certs

Hi,

We have M370 firebox and have recently moved from SSLVPN to IKEv2. However, we have one home user who we just can't get working on IKEv2 and have thus needed to leave SSLVPN active for this one user.

Our parent organisation run weekly Nessus Scans and these report:

Medium Vulnerability Name : "SSL Self-Signed Certificate" and  "SSL Certificate Cannot Be Trusted"

What steps do I need to take to prevent these vulnerabilities being picked up by the Nessus scan while we continue to provide SSLVPN access to this one user?

Many thanks,
Graham

Comments

  • If the scan is complaining because this is a self signed cert, presumably you can import certificates that are signed by a CA your organization trusts to replace the default self signed Firebox SSLVPN certs.

    About Certificates
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/certificates_about_c.html

  • edited May 2023

    As Bruce_Briggs has mentioned, replacing the SSL (web) certificate with a trusted third party certificate would be the way to resolve this (it obviously has to be one the Nessus scanner recognises too, so can't use an internal CA signed one either).

    Had a client who got this raised in a security scan and the comment back from the security organisation was that self-signed certs are to be treated as insecure, which is a bit much but their point was the cert had to be issued by a trusted third party provider to be considered secure/trusted and pass the security scan.
    This also means making sure you are using a DNS name and not an IP address for your SSL VPN endpoint for that one user.

Sign In to comment.