Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 25 replies
  • Subscribers 31 subscribers
  • Views 10859 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Default httpd.conf for WAF enables insecure Protocols/Suites (TLS1, TLS1.1, 3DES) and enables Trace/Track on each firmware update

AllanD

This is a continuation of https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/109122/failing-pci-scans-because-of-outdated-jquery-in-user-portal---is-there-a-fix/391323#391323 but a new thread was requested by LuCar Toni here: https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/109122/failing-pci-scans-because-of-outdated-jquery-in-user-portal---is-there-a-fix/392533#392533

 

 

On a fresh install of any firmware to a XG appliance the WAF settings allow insecure protocols and 3DES in addition to Trace/Track.  This has been a issue going back over two years (previous post: : https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/84480/failing-pci-scans---how-do-i-disable-tls-1-0-and-block-des-3des/368398#368398 )

 

Demonstration of what is happening.  After any firmware upgrade I have a PCI compliance scan done and get the following results:

 

 

I highlighted the failures on 3DES and TLS 1.0.  So I telnet in and check the appache httpd.conf file and this is whats in it:

 

 

Sure enough all those protocols are reenabled on each firmware upgrade.  I then manually edit that file to remove 3DES, TLSv1, TLSv1.1, and TraceTrack so it looks like this:

 

 

and restart the services (per instructions support gave me and I blogged about here). I then rescan and I no longer fail due to those items:

 

 

This is happening to multiple people on this forum and who have commented on my blog post.  Settings within the UI (mainly the "TLS setting") do not affect this behavior.

 

This is happening on 3 seperate XG boxes, one XG310 and a pair of XG125w.  All three were installed at different times and the last XG125W shipped with v17, the other two started with v16.  All three exhibit the same behavior on each firmware upgrade, the "secure" settings get wiped out and replaced by a "insecure set".




[locked by: FloSupport at 7:33 PM (GMT -8) on 11 Jan 2019]
Parents
  • 0

    Still struggling with this issue like AlanT was. 

    Because i checked once again all my WAF XGs with TLS1.2 only, and it works fine with all my XGs without even change something in the config files at all. 

     

    Used SSllabs to test my WAF. 

     

     

     

    Also talked about this to some of my customers / partners. Nobody could relate to it. 

    I assume, the config file / database got broken and rewrite all the time the "Use TLS1.0" back to your config. 

     

     

     

    Can you post your (New) Sophos Support Case? So  can track it? 

    PS: your screenshots are not readable. :) 

  • 0 in reply to LuCar Toni

    Sorry...copied the screen shots from the other thread and apparently they didn't size correctly.  I'll try to get them fixed.

     

    As for a SSLLabs report with a non-edited httpd.conf file (I reset it) here are the results that I just ran (12/31/18 8:30 AM EST):

     

     

     

     

    Again TLS 1.2 is enabled but it doesn't seem to care.  Only editing the httpd.conf file seems to fix this.  And my PCI compliance scans find the same thing so its not just them. Maybe I'll upgrade to 17.5 and see what happens if I don't hear anything back from in the near future.

  • 0 in reply to AllanD

    Again, you need a Support Case. I honestly believe, your XG is rewritting something all the time because something was changed back in the days in your Database configuration. 

    You could trigger the Support Case and giving the support all details, they need to check your log. 

  • 0 in reply to LuCar Toni

    I've entered a support case. Although I don't understand why I was asked for information if nothing is going to be done with it to try to solve this problem using it.  

    As for writting all the time Again it is only after a firmware update. Something in the firmware update is rewriting that file. From what @AlanT said the file shouldn't be used at all but it obviously is based on the evidence. If I manually edit the file and then I don't update firmware again for 6 months then the system is secure for that 6 months. As soon as I update the firmware it is no longer secure until I edit the file again.

  • 0 in reply to AllanD

    Do you use a HA? 

    You opened a Case before (back in the days), did the Sophos Support maybe changed something on your system? 

    I would say, there is something corrupt in your Backup file, which causes this behavior. That is my guess.

     

    I highly suggest to open a Case to follow the correct process for this issue.

  • 0 in reply to LuCar Toni

    I do not use HA.

    When I originally open the sport ticket, two years ago now, they said at the time the system didn't have an option for TLS 1.2 from the UI and that I needed to manually make the change through the councole. Which I did. I did nothing else other than follow their exact instructions to make the changes to httpd.conf.  and I have had to make the same changes with each firmware update since then. I'm not sure how that would be a corrupt backup file.

    And again I opened up a new support case, explain what was happening, and provided a link to this thread.

Reply
  • 0 in reply to LuCar Toni

    I do not use HA.

    When I originally open the sport ticket, two years ago now, they said at the time the system didn't have an option for TLS 1.2 from the UI and that I needed to manually make the change through the councole. Which I did. I did nothing else other than follow their exact instructions to make the changes to httpd.conf.  and I have had to make the same changes with each firmware update since then. I'm not sure how that would be a corrupt backup file.

    And again I opened up a new support case, explain what was happening, and provided a link to this thread.

Children
No Data