PCI Scan is showing Vulnrebilities for SSL

Hi,

I followed the article SSL PCI Compliance and blocked the 100015 to restrict website traffic only to ports 80 and 443. But I am still able to telnet ports 2096, 2087, 2053 and my PCI scan is also able to detect and cause the test to fail. I am on a pro plan, now what can I do to resolve this issue and block all ports other than 80 and 443?

Thanks

https://community.cloudflare.com/search?q=pci%20port%2080

For example PCI Scan is showing vulnerabilities

In short, Cloudflare will always respond on these ports but with that rule it won’t matter.

The problem is not that the ports are open, the PCI scan is complaining that the SSL is certificate on these ports is expired. I thought just blocking these ports will resolve the issue, what do you think would be ab appropriate solution to this?

That should not happen, unless you have disabled edge certificates, in which case you shouldn’t have SSL at all. What’s the domain?

Ports do not get “closed”, they will simply show an appropriate message.

1 Like

The domain is colemanfurniture.com

Here is the screenshot from my PCI scan

And the Edge certificate is active

That scan does not suggest an expired certificate and the certificate on these ports has not expired either

image

Requests to port 2083 are blocked as it would be expected -> sitemeer.com/#https://colemanfurniture.com:2083/

It’s not quite clear what signature failed here, but that might be an issue with that scan. The certificate is correctly in place. You might want to clarify this with the developer of that scan.

Do you have a valid certificate on your server? If you don’t they might still connect to your origin. You would need to fix this.

No, I don’t have a valid certificate on the origin. Do you think that could be an issue here? but that probably is not possible as my server recieves traffic only from Cloudflare and only its IP addresses are whitelisted

Absolutely! You need a valid certificate on your server, otherwise there is no proper encryption and your PCI concerns are pointless in the first place.

You might still want to clarify with them though the signature bit.

The only ports I have opened on my server are 443 and 80, and that too accepts traffic only through Cloudflare and this is what is whitelisted there https://www.cloudflare.com/ips-v4

Still, you need to fix the certificate issue for starters. At the same time you should clarify what signature they don’t like.

From a Cloudflare perspective everything is in place, requests to these ports get blocked and the certificate is in place. The main issue now is the missing certificate on your origin plus why they throw that error message.

The issue is essentially a false positive on the scanner, as there is a control in place to deal with the open ports. Provided @user2510 has rule 100015 in place Cloudflare will respond 403 on the non standard ports.

1 Like

And that is precisely what is happening. We are discussing a non-issue here and that would have been rather obvious with a quick search. Also, there is no expired certificate as it was claimed. The OP simply needs to clarify with that service owner what their problem is. Cloudflare won’t be involved here.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.