Hi,
We've a XG230 running SFOS 18.5.2 MR-2-Build380
During a recent external pen test it's been reported our externally available SMTP service is supporting TLS 1.1 which is a risk because Numerous vulnerabilities have been found in TLS Version 1.1 including Padding Oracle attacks such as POODLE. PCI DSS 4.0 will be rolled out in mid-2021 and is expected to prohibit the use of TLS 1.1. (their words, not mine)
We use the XG's SMTP proxy feature to inspect email before it's delivered to our internal email servers.
Within Email -> General Settings -> SMTP TLS configuration we have Disable legacy TLS protocols ticked. The help message to the right hand side states...
We recommend that you disable legacy TLS protocols to overcome TLS vulnerabilities. This option will disable protocols earlier than TLS1.1.
I take that to mean it's disabled everything BEFORE TLS 1.1, but not TLS 1.1 itself. I can confirm SSL2, SSL3 and TLS 1.0 connection attempts are rejected externally to the SMTP proxy.
How can I disable TLS 1.1? Also, why is TLS 1.3 still not supported by the XG230?
References
en.wikipedia.org/.../Transport_Layer_Security
TLS 1.0 and 1.1 were deprecated in 2020
TLS 1.3 was August 2018
Regards
Steve
This thread was automatically locked due to age.
