Hello,
Our Tentacles are failing Qualys scan on default port they listen on 10933.
SSL Certificate - Invalid Maximum Validity Date Detected
Session Cookie Does Not Contain the “Secure” Attribute
HTTP Security Header Not Detected Active
TLS Protocol Session Renegotiation Security Vulnerability
Can someone please provide some guidance on resolution?
Tentacle version installed is 3.20.1
Thanks for getting in touch. The Octopus <-> Tentacle communication defaults to port 10933 that can be changed or your tool can be made to accept that as a known acceptable configured port.
The SSL certificate has a large expiry to make it easier for customers to use. You can change that to make the scanning tool happy, or you can put in an exception.
The other issues, you have listed don’t make sense to us, could you do some digging on your end and get more familiar with the scanning tool as to how it got some of those results and why.
There isn’t a session cookie for the Tentacles if your scanner hits it over HTTP/HTTPS it will reach a test page, there’s no concept or need for a cookie for those test pages. So we’re not sure why it would be reporting that.
The last 2 items lack enough detail, this is where we need your help if you’d like a resolution about what the tool has done to reach those outcomes:
Hello Nick,
I know this conversation has been sometime ago, however, our InfoSec team ran a Qualys and we are getting TLS Protocol Session Renegotiation Security Vulnerability. Was there more data provided to remediate that ? Currently TLS 1.0/1.1 disabled and servers (MS Patch) up to date.
Not directly related but I have an issue open with Tls on the cloud default workers currently defaulting to lower then 1.2 causing some integrations (via step templates) to not work anymore.