Tentacle flagged by Qualys - not passing security requirements

security

(Lucas) #1

Hello,
Our Tentacles are failing Qualys scan on default port they listen on 10933.

SSL Certificate - Invalid Maximum Validity Date Detected
Session Cookie Does Not Contain the “Secure” Attribute
HTTP Security Header Not Detected Active
TLS Protocol Session Renegotiation Security Vulnerability

Can someone please provide some guidance on resolution?
Tentacle version installed is 3.20.1

Thank you!


(Nick Josevski) #2

Hi Lucas,

Thanks for getting in touch. The Octopus <-> Tentacle communication defaults to port 10933 that can be changed or your tool can be made to accept that as a known acceptable configured port.

We have some great details here, about the secure communication between Octopus and Tentacles: https://octopus.com/docs/administration/security/octopus-tentacle-communication

The SSL certificate has a large expiry to make it easier for customers to use. You can change that to make the scanning tool happy, or you can put in an exception.

We have details here if you would like to go down the path of taking ownership of the certificates and related configuration, which would allow you to then control the certificate expiry duration, you will then be responsible for rotating them: https://octopus.com/docs/administration/security/octopus-tentacle-communication/how-to-use-custom-certificates-with-octopus-server-and-tentacle

The other issues, you have listed don’t make sense to us, could you do some digging on your end and get more familiar with the scanning tool as to how it got some of those results and why.

There isn’t a session cookie for the Tentacles if your scanner hits it over HTTP/HTTPS it will reach a test page, there’s no concept or need for a cookie for those test pages. So we’re not sure why it would be reporting that.

The last 2 items lack enough detail, this is where we need your help if you’d like a resolution about what the tool has done to reach those outcomes:

  • HTTP Security Header Not Detected Active
  • TLS Protocol Session Renegotiation Security Vulnerability

Regards,
Nick