In Vulnerability Assessment and Penetration Testing , there is one critical vulnerability TLS Protocol Session Renegotiation Security Vulnerability reported in Octopus client port (10933) on all the servers. Please suggest how can we fix this issue.
Thanks,
Hi @321kiruthi,
Thank you for contacting Octopus support. We are sorry you have security audit issues caused by Octopus Tentacle.
There was a thread on our support forum a year ago about this issue. Our suggestion was to disable SSL3, TLS1.0, and TLS1.2 on the server and clients. One good option for that is an IISCrypto utility; another option is to disable client and server protocols in the Windows registry directly.
Octopus uses the Windows SChannel for transport security; disabling the vulnerable protocols should resolve the Renegotiation Vulnerability.
Are you able to try that as a solution? If so, please let me know how it goes.
Regards,
Sergei
Thanks for the quick response.
We have already disabled SSL3, TLS1.0, and TLS1.2 on the server and clients.
Still we are having the Vulnerability issue.
Thanks
@321kiruthi, thank you for the update.
To verify - are you getting the vulnerability on 10933 only? Is Octopus the only service that listens for HTTPS on the server in question? Also, and I apologize if that sounds trivial - was there a restart after TLS settings were changed in Registry/IISCrypto?
Regards,
Sergei
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.