Author Topic: False warnings with PCI scan?  (Read 2813 times)

Offline jimwillsher

  • Newbie
  • *
  • Posts: 1
False warnings with PCI scan?
« on: April 17, 2014, 04:42:40 AM »
Hello

I've installed a Comodo certificate on my Ubuntu server. This is a trial server, with a view to using a similar setup commercially. I've completed a PCI scan and I have 7 warnings:

The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can
occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.
First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority.
This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate
certificates are missing that would connect the top of the certificate chain to a known public certificate authority.
Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when
the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.
Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could not be
verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer.
Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessus either
does not support or does not recognize.


The following certificates were part of the certificate chain
sent by the remote host, but have signatures that use algorithms
that Nessus does not recognize :
Status Fail (This must be resolved for your device to be compliant).
Security Warning found on port/service "smtp (25/tcp)"
Solution Purchase or generate a proper certificate for this service.
|-Subject : C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation
Secure Server CA
|-Algorithm (OID) : 1.2.840.113549.1.1.12
|-Subject : C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification
Authority
|-Algorithm (OID) : 1.2.840.113549.1.1.12


My certificate is a Comodo cert, and seems to be working correctly in Apache and Postfix/Dovecot. So why do I see these warnings?

Many thanks


Jim

Offline ccsupport

  • Newbie
  • *
  • Posts: 2
Re: False warnings with PCI scan?
« Reply #1 on: December 17, 2014, 10:01:06 AM »
Hello,

Did you ever resolve this issue?  We have the exact same issue on a number of incoming ports.  Most we can block but one is on port 443!

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek