-
theta12
- Influencer
- Posts: 21
- Liked: 1 time
- Joined: May 24, 2017 1:37 pm
- Contact:
Surebackup appliance using TLS 1.0
We had a couple of surebackup labs running when an internal pen test was done. We had audit hits on both surebackup proxy appliances because they're using TLS 1.0. I opened Veeam Support - Case # 04360092 on this issue and was told by support that there is a patch to update Apache, but that there is still a requirement for TLS 1.0. We're still running 9.5 U4 (waiting on outstanding issue before we can move to 10) and was wondering if this is still an issue in version 10. If so, I realize SB labs aren't a huge concern because of the short length of time they're online, but I was surprised that Veeam will still be using a very old, insecure protocol to complete this task. Are future SB labs only going to utilize TLS 1.2 and higher?
-
HannesK
- Product Manager
- Posts: 14840
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Surebackup appliance using TLS 1.0
Hello,
yes, the patch also upgrades TLS to 1.2
I just checked in my lab. See Firefox output:
Actually I don't believe that this increases security at any point. At least I have no idea, how the protection of the virtual lab test results could be a security issue.
The purpose of that webserver is to pass the SureBackup results back to the backup server.
Best regards,
Hannes
yes, the patch also upgrades TLS to 1.2
I just checked in my lab. See Firefox output:
Actually I don't believe that this increases security at any point. At least I have no idea, how the protection of the virtual lab test results could be a security issue.
The purpose of that webserver is to pass the SureBackup results back to the backup server.Best regards,
Hannes
-
theta12
- Influencer
- Posts: 21
- Liked: 1 time
- Joined: May 24, 2017 1:37 pm
- Contact:
Re: Surebackup appliance using TLS 1.0
Well, that's good to know as the support person on the case specifically said it DIDN'T change the TLS version. I guess i'll get the patch and see if it clears up the scan. While I agree about the 'security' issue on the lab, auditors LOVE to find stuff like this and write you up on report for using insecure protocols regardless of it's actual severity in the real world. It's how they make their money (and headaches for me!).
-
david.domask
- Veeam Software
- Posts: 2123
- Liked: 513 times
- Joined: Jun 28, 2016 12:12 pm
- Contact:
Re: Surebackup appliance using TLS 1.0
Hey @theta12,
My apologies for the misinformation introduced by the Engineer on the case. I double-checked the case and the internal posting for the issue, and regrettably the posting left some ambiguity as to what the hotfix included. I will update our internal documentation to reflect this, but this was an error of documentation, repeated by the Engineer, which I will ensure is corrected to avoid confusion in future cases.
Thanks for bringing the case to our attention, and I will correct the missing information from the internal issue
My apologies for the misinformation introduced by the Engineer on the case. I double-checked the case and the internal posting for the issue, and regrettably the posting left some ambiguity as to what the hotfix included. I will update our internal documentation to reflect this, but this was an error of documentation, repeated by the Engineer, which I will ensure is corrected to avoid confusion in future cases.
Thanks for bringing the case to our attention, and I will correct the missing information from the internal issue
David Domask | Product Management: Principal Analyst
Who is online
Users browsing this forum: ybarrap2003 and 92 guests