Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 25 replies
  • Subscribers 31 subscribers
  • Views 10857 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Default httpd.conf for WAF enables insecure Protocols/Suites (TLS1, TLS1.1, 3DES) and enables Trace/Track on each firmware update

AllanD

This is a continuation of https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/109122/failing-pci-scans-because-of-outdated-jquery-in-user-portal---is-there-a-fix/391323#391323 but a new thread was requested by LuCar Toni here: https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/109122/failing-pci-scans-because-of-outdated-jquery-in-user-portal---is-there-a-fix/392533#392533

 

 

On a fresh install of any firmware to a XG appliance the WAF settings allow insecure protocols and 3DES in addition to Trace/Track.  This has been a issue going back over two years (previous post: : https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/84480/failing-pci-scans---how-do-i-disable-tls-1-0-and-block-des-3des/368398#368398 )

 

Demonstration of what is happening.  After any firmware upgrade I have a PCI compliance scan done and get the following results:

 

 

I highlighted the failures on 3DES and TLS 1.0.  So I telnet in and check the appache httpd.conf file and this is whats in it:

 

 

Sure enough all those protocols are reenabled on each firmware upgrade.  I then manually edit that file to remove 3DES, TLSv1, TLSv1.1, and TraceTrack so it looks like this:

 

 

and restart the services (per instructions support gave me and I blogged about here). I then rescan and I no longer fail due to those items:

 

 

This is happening to multiple people on this forum and who have commented on my blog post.  Settings within the UI (mainly the "TLS setting") do not affect this behavior.

 

This is happening on 3 seperate XG boxes, one XG310 and a pair of XG125w.  All three were installed at different times and the last XG125W shipped with v17, the other two started with v16.  All three exhibit the same behavior on each firmware upgrade, the "secure" settings get wiped out and replaced by a "insecure set".




[locked by: FloSupport at 7:33 PM (GMT -8) on 11 Jan 2019]
  • 0

    Still struggling with this issue like AlanT was. 

    Because i checked once again all my WAF XGs with TLS1.2 only, and it works fine with all my XGs without even change something in the config files at all. 

     

    Used SSllabs to test my WAF. 

     

     

     

    Also talked about this to some of my customers / partners. Nobody could relate to it. 

    I assume, the config file / database got broken and rewrite all the time the "Use TLS1.0" back to your config. 

     

     

     

    Can you post your (New) Sophos Support Case? So  can track it? 

    PS: your screenshots are not readable. :) 

  • 0

    Please build a new XG (using an older version) and then check the security settings.

    Then perform a restore of your configuration and check the security settings.

    Then allow the XG to install an update then check the security settings.

    Or build an new XG (older version), check the security settings, then run the update without your configuration.

    Ian

  • 0 in reply to rfcat_vk

    I'm not sure how this would help as it doesn't appear to affect virtual machines and the only people that have reported it, myself, , and a couple people through my website, were all on appliances.  And I'm definitely not doing this to my XG310 which is in production....I'm not risking it breaking and our network being down.  Or are you saying start up a virtual machine and load the backup to it?  I can do that but again I don't think its going to matter.

     

    I'd rather wait for to let me know what he found after I send him the documentation he asked for a couple weeks ago.

  • 0 in reply to LuCar Toni

    Sorry...copied the screen shots from the other thread and apparently they didn't size correctly.  I'll try to get them fixed.

     

    As for a SSLLabs report with a non-edited httpd.conf file (I reset it) here are the results that I just ran (12/31/18 8:30 AM EST):

     

     

     

     

    Again TLS 1.2 is enabled but it doesn't seem to care.  Only editing the httpd.conf file seems to fix this.  And my PCI compliance scans find the same thing so its not just them. Maybe I'll upgrade to 17.5 and see what happens if I don't hear anything back from in the near future.

  • 0 in reply to AllanD

    Again, you need a Support Case. I honestly believe, your XG is rewritting something all the time because something was changed back in the days in your Database configuration. 

    You could trigger the Support Case and giving the support all details, they need to check your log. 

  • 0 in reply to LuCar Toni

    I've entered a support case. Although I don't understand why I was asked for information if nothing is going to be done with it to try to solve this problem using it.  

    As for writting all the time Again it is only after a firmware update. Something in the firmware update is rewriting that file. From what @AlanT said the file shouldn't be used at all but it obviously is based on the evidence. If I manually edit the file and then I don't update firmware again for 6 months then the system is secure for that 6 months. As soon as I update the firmware it is no longer secure until I edit the file again.

  • 0 in reply to AllanD

    Do you use a HA? 

    You opened a Case before (back in the days), did the Sophos Support maybe changed something on your system? 

    I would say, there is something corrupt in your Backup file, which causes this behavior. That is my guess.

     

    I highly suggest to open a Case to follow the correct process for this issue.

  • 0 in reply to LuCar Toni

    I do not use HA.

    When I originally open the sport ticket, two years ago now, they said at the time the system didn't have an option for TLS 1.2 from the UI and that I needed to manually make the change through the councole. Which I did. I did nothing else other than follow their exact instructions to make the changes to httpd.conf.  and I have had to make the same changes with each firmware update since then. I'm not sure how that would be a corrupt backup file.

    And again I opened up a new support case, explain what was happening, and provided a link to this thread.

  • 0 in reply to LuCar Toni

    After some back and forth this is what Support said:

    "Version 17.5 GA has the settings for TLS version in WAF under General settings.  Kindly upgrade the device to latest version and after that if the issue persists then we can look into it further. "

    I told them that setting has already been changed, change back, and changed again with no effect.  I pointed them to this thread but haven't gotten anything back.  Were my logs I sent to  ever looked at?  Your support people don't seem to want to troubleshoot this until I upgrade but I shouldn't have to.  I am willing to upgrade if someone can tell me that the setting doesn't work prior to 17.5 but from what you and others have said it should.

     

    Old support case #7105754.  New support case # 8551864.   And here is a copy and paste from the old support case and what they told me to do:

     

    Hello Allan,

    I have heard back from GES on this issue.  They have provided a workaround for now, below are the instructions to disable TLSv1.0 for WAF.

    Workaround Solution :
    # mount -no remount,rw /
    # vi /usr/apache/conf/httpd.conf
    -- Edit the following two lines with the lines in red color. before editing create a backup of the original file:

    SSLCipherSuite 
    ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS
    SSLProtocol all -SSLv2 -SSLv3

    SSLCipherSuite 
    ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

    # service apache:restart -ds nosync
    #service WAF:restart -ds nosync
    #mount -no remount,ro /


    Please note this is only a workaround until the option to disable TLSv1.0 is included in the web admin of the XG. This will break an old legacy systems where DES and 3DES are the only supported ciphers "e.g. Windows XP clients or older versions of Windows Server.  This change will be overwritten by a software upgrade as well, every time you upgrade the firmware the workaround will need to be applied.

    GES has informed me that the option to disable TLSv1.0 will be added in SFOS v17.


    Regards,

    Sophos Technical Support

     

    Note the line that says this change will be overwritten by a software upgrade and need to be done each time?  That exactly what I've had to do for two years now.  Except changing the option in the UI doesn't fix it.

  • 0 in reply to AllanD

    Again, i am not a Support Engineer. I can only rephrase my experience with other customers. None of my customers could reproduce this since V17.0 

    All of them uses the Webadmin Option and it works fine. 

    I cannot tell you, what was done with your Log files. But the basic process is, to talk to the Support people about this issue to get some information. 

    There should be something wrong with your backup. You said back in the other Thread, you can reproduce this even after reinstalling your XG and restoring the config file, isnt it?