SSL misconfigured in Octopus Deploy

Hi,
I am looking for help from anyone who would be familiar with the results of a pentest.
A Penetration Test (pentest) was carried out on our Octopus Deploy servers and I got notified of an issue regarding to SLL misconfigured. Anyone familiar with pentest or any issues that may arise from it. Also would this be an issue the we misconfigured or an Octopus misconfiguration?? I just need a starting point of how to resolve the issue?

An example of issues found:

Kind Regards,
Micheál Power

Hi Micheál,

Thanks for getting in touch!

Whoever carried out the pentest would likely be in the best position to advise on the course of action required to remedy the issues, or if they are fine as they are.

The main thing to check within Octopus is that the thumbprint used by the server for tentacle communications is encrypted with sha256RSA. You can check this by navigating to Configuration > Thumbprint and you should see “The server certificate uses the sha256RSA algorithm”. We originally used an older algorithm, so if you started with an older version and have upgraded without renewing this then it may need refreshing. There are a few steps to renewing it, so if it does need doing, let us know and we can walk through it.

Outside of Octopus, pentests will typically pick up whether the server OS has had older, less secure forms of TLS and ciphers disabled. These can be checked and disabled by using a program like IISCrypto. As this is related to the OS rather than Octopus we can’t provide any recommendations on what should and shouldn’t be enabled.

Regards,
Paul

Hi Paul,
Thanks for the response.
I can see the Thumbprint is encrypted with the sha256RSA algorithm so thats fine.

Kind Regards,
Micheál Power

1 Like

Hi @paul.calvert,
This is the recommended fix from the pentest report:

Use strong ciphers (for example AES128-GCM cipher suite) whenever possible. Configure TLS/SSL protocols securely. Disabling HTTP compression will mitigate the BREACH attack.

Kind Regards,
Micheál Power

1 Like

Hi @paul.calvert,
Disabling RC4 Ciphers on our Octopus Deploy and worker servers fixed the issue.
https://www.namecheap.com/support/knowledgebase/article.aspx/9599/38/disabling-rc4

Kind Regards,
Micheál Power

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.