logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error
Weak SSL Posture/Configuration at least with Linux
Options
Go to last post Go to first unread
Previous Topic Next Topic
SCCurious  
#1 Posted : Tuesday, May 15, 2018 3:20:40 PM(UTC)
SCCurious


Rank: Newbie

Joined: 2/2/2014(UTC)
Posts: 10
United States

Thanks: 2 times
I've got ScreenConnect 6.5 installation running on an Ubuntu 16.04 LTS server.

It is properly configured for SSL and it does work correctly.

However, the SSL installation fails miserably when tested with www.ssllabs.com I do not know for sure if this is due to ScreenConnect, Mono 3.0.4 provided by ScreenConnect, Linux, or bad configuration or my part. My suspicion is that it is a ScreenConnect/Mono issue. That version of Mono is quite old.

Is it possible to improve the results through configuration? Or, is the only option to use a reverse proxy or other OS? Do Windows installations also fail these SSL tests?
Back to top

Back to top  
Michael L  
#2 Posted : Wednesday, May 16, 2018 1:28:35 PM(UTC)
Michael L


Rank: Administration

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 8/18/2015(UTC)
Posts: 98
Man
United States

Thanks: 8 times
Was thanked: 14 time(s) in 12 post(s)
Hi SCCurious,

With the default installation, you'll see those kinds of results due primarily to the Mono implementation. The only way that you can currently improve it on a Linux server would be to install a reverse proxy like nginx, the installation of which is documented in this forum post:
http://controlforum.conn...inux--TLS-and-Nginx.aspx

We have a couple of feature requests posted here that are asking for Mono to be updated to support disabling some protocols and updating it to be able to use TLS 1.2+, as well, you may want to upvote/comment on these (installing nginx also lets you use TLS 1.2+):
https://control.product....ed-rc-cyphersssl-in-mono
https://control.product....or-freshdesk-integration

Windows installations don't fail the tests in the same way that you're seeing, as the Windows server installation uses HTTP.sys to serve webpages, and is configured a bit more securely by default in the OS; however, you can easily configure/harden Windows to pass the tests with flying colors using a tool like IISCrypto. Also as a side note, Control/SC is a native .NET application, so you'll typically see better performance on that OS vs. on Linux.
IISCrypto: https://www.nartac.com/Products/IISCrypto/Download

Hope this helps!
ConnectWise Control (ScreenConnect) Support Team
Back to top
thanks 1 user thanked Michael L for this useful post.
SCCurious on 5/16/2018(UTC)
SCCurious  
#3 Posted : Wednesday, May 16, 2018 7:19:06 PM(UTC)
SCCurious


Rank: Newbie

Joined: 2/2/2014(UTC)
Posts: 10
United States

Thanks: 2 times
Thanks very much for the thorough response.

This is just what I needed to know.


Edit: That feature request has been pending for two years! It looks like there's no chance to make changes or update the Mono version.

Edited by user Wednesday, May 16, 2018 7:24:58 PM(UTC)  | Reason: New info.
Back to top
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Powered by YAF.NET | YAF.NET © 2003-2019, Yet Another Forum.NET