VMware Horizon Community
SPLHCB
Contributor
Contributor
‎03-28-2019 06:22 AM

SSL certificate error when nessus scanning view connection servers port 4001 router certificate Vulnerability

Hello Colleauges

Due to Vulnerability Scann check I get medium scan breaches related to router certificate (JMS) 4001 port

So, do we have some solution to hardening JMS SSL or some risk acceptance of false positive prooved KB about that?

I find VMware Knowledge Base that is described similar false-positive client connection related issue

Maybe someone is resolve problem like that?

Anyway will appreciate for any help

Tags (1)
0 Kudos
5 Replies
SPLHCB
Contributor
Contributor
‎05-14-2019 07:07 AM

I can't believe!

is nobody used Nessus scan and works without IT security? Or just "open case" without any suggestion?

0 Kudos
BenFB
Virtuoso
Virtuoso
‎05-16-2019 02:04 PM

We would need more info. What is the vulnerability or issues that Nessus is reporting?

0 Kudos
SPLHCB
Contributor
Contributor
‎05-17-2019 02:17 AM

Plugin namePortProtocolService namePlugin outputSolutionSynopsisPlugin version ID
SSL Certificate with Wrong Hostname4101tcpunknown The identities known by Nessus are :
"///IP address///"
"///Mac address///"
"///Hostname///"
"///alternative FQDN DNS alias///"
"///FQDN name///"
The Common Name in the certificate is :
  router/"///Hostname///"
Purchase or generate a proper certificate for this service.The SSL certificate for this service is for a different host.169372
SSL Self-Signed Certificate4101tcpunknown
The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : CN=router/"///Hostname///"
Purchase or generate a proper certificate for this service.The SSL certificate chain for this service ends in an unrecognized self-signed certificate.169402
Red - Certificates with too long timespan4172tcpunknownCertificate lifespan is longer than 825 days
Mar 24 11:26:22 2019 GMT
Mar 22 11:26:22 2024 GMT		Request certificate with shorter lifespan.199951
SSL Self-Signed Certificate4002tcppxc-spvr-ft?
The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : CN=router/"///Hostname///"
Purchase or generate a proper certificate for this service.The SSL certificate chain for this service ends in an unrecognized self-signed certificate.169402
SSL Self-Signed Certificate4172tcpunknown
The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : C=CA/ST=British Columbia/L=Burnaby/O=Teradici Corporation/OU=SoftPCoIP/1.2.840.113549.1.9.3=SecurityGateway/CN="///FQDN Hostname///"
Purchase or generate a proper certificate for this service.The SSL certificate chain for this service ends in an unrecognized self-signed certificate.169402
SSL Certificate Cannot Be Trusted4002tcppxc-spvr-ft?
The following certificate was at the top of the certificate
chain sent by the remote host, but it is signed by an unknown
certificate authority :

|-Subject : CN=router/"///Hostname///"
|-Issuer  : CN=router/"///Hostname///"
Purchase or generate a proper certificate for this service.The SSL certificate for this service cannot be trusted.185667
0 Kudos
BenFB
Virtuoso
Virtuoso
‎05-17-2019 01:35 PM

I would consider those false positives that can be ignored. For all of the communication you listed there are additional safeguard in place.

Port 4172 is for PCoIP. If you must you can replace the PCoIP Secure Gateway (PSG) certificate.

SSL certificate error when scanning PCoIP secure gateway port 4172 (1038762)

Configure the PCoIP Secure Gateway to Use a New TLS Certificate

This section of the documentation covers how Horizon performs other means of validation for the message bus traffic on ports 4001 and 4002.

Certificate Thumbprint Verification and Automatic Certificate Generation

Port 4101 is used for the connection server JMS traffic. Make sure you are in Enabled or Enhanced mode.

Firewall Rules for Horizon Connection Server

Understanding Communications Protocols

Message Security Mode for Horizon 7 Components

Global Security Settings for Client Sessions and Connections

Change the JMS Message Security Mode to Enhanced

Horizon Messaging

0 Kudos
bjohn
Hot Shot
Hot Shot
‎08-09-2019 05:21 PM

I ran into the same issue with Nessus scans. Found this article for port 4172. https://kb.vmware.com/s/article/58868 Can't find any articles for port 4101 and 4002

0 Kudos