Securing Headphones plugin SSL/TLS configuration?

[blahhumbug]

I've been running various FreeNAS plugins that support HTTPS through the Qualsys SSL Labs checker at https://www.ssllabs.com/ssltest/analyze.html

Most of the plugins are supporting vulnerable protocols on a default install. The only plugin I've been able to reasonable secure so far is the OwnCloud plugin since all of the SSL configuration was easily changed by reconfiguring Apache 2.4 settings. The only thing I wasn't able to resolve for OwnCloud yet is TLS_FALLBACK_SCSV support which needs Openssl 0.9.8zc or newer, but it looks like most FreeNas plugins are using OpenSSL 0.9.8za. But this is not critical as I have shut off most of the older protocols anyway.

However, for Headphones since it acts as its own webserver, I am not sure how to start on securing it, and whether the issues are in Headphones code itself, or in any of the libraries it uses (CherryPy, pyOpenssl, etc). I'm hoping that I might be able to do a sidegrade and upgrade some python libraries without having to muck with Headphones code.

Attached are three screencaptures of the Qualsys report for Headphones. The main issues are:

* Vulnerable to CRIME attack. Need to shut off TLS compression
* Accepts weak ciphers: TLS_RSA_WITH_DES_CBC_SHA, TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_RC4_128_SHA
* Does not support Forward Secrecy
* Vulnerable to POODLE (Need to disable SSLv3 support)
* Vulnerable to DoS attacks due to Client-Initiated renegotation support

Does anyone have recommendations on where to begin in resolving any of these issues, especially disabling SSLv3, RC4, and TLS compression?

 

[danb35]

I'd suspect this question would be best directed to the headphones devs, since the web server is an integral part of the headphones code. But why is it important? Your FreeNAS server should be behind a firewall, and the only way to access it from the Internet should be through a VPN. In that case, why is the security of the plugins important?

 

[blahhumbug]

Forcing all connections through a VPN is definitely one solution, but it introduces some usability issues for various devices like android, etc. If I can figure out how to secure my plugin web services better, I'd still like to do that, regardless of whether I end up using a VPN solution.

Unfortunately, headphones has no support forums that I could find, only an irc channel. So I periodically post my questions in IRC and hope someone will respond. In the mean time, I'm reading through headphones code, so that I can learn how it has implemented https, and thought I would post the question here in case some other FreeNAS user has already done all of this homework and has useful information!

 

[cyberjock]

This question has nothing to do with support for FreeNAS. As such, I'm going to move it to the off-topic section.

 

[blahhumbug]

My apologies! I saw lots of general plugin specific (not freenas specifc) threads in the Plugin help forums so thought that would be an okay place to ask Headphones specific questions.