Failing PCI Scans - How do I disable TLS 1.0 and block DES & 3DES?

Looks like 16.05 fixes this but it's only on RC1

Allan,

what Charles is saying should be correct for the TLS. Are you using any IPSec connection? Red?

Thanks

Unknown said:

Looks like 16.05 fixes this but it's only on RC1

 

lferrara said:

what Charles is saying should be correct for the TLS. Are you using any IPSec connection? Red?

Not yet but we will be.  Both a IPSec site to site VPN and I planned on trying out a Red device for testing and possibly for a branch office of 15 people.  Based on testing the Red I'd either get a Red 50 or just another small XG and setup the site to site with that.

-Allan

I upgraded one of my two XG boxes (one thats not in production yet but is connected to the internet for testing) to 16.05 RC1.  Rescanned and it passed.  Still would be nice to have the options available as settings but this is a good start.

-Allan

So it seems in 16.05 MR2 that TLS 1.0 is enabled again as I just failed my PCI compliance scans.  It was blocked on 16.05 RC1.  Is this something I can disable through the console?

I'm back to failing my PCI scans and I really like to not be.  It definitely is on the XG as TLS 1.0 is already disabled on the backend servers using IISCrypt.

-Allan

I've opened a support ticket on this as it doesn't make sense that it was disabled in the RC and re-enabled in the actual release.  I'll report back once they either verify the issue or tell me how to fix it.

First what I got back from support:

"Unfortunately, it's not possible to change TLS version  from GUI as well as from CLI in XG v16.05(MR 1 & 2), cause it is hard coded and changed from proxy binary. I confirmed same with senior team."


So I have to have them make the change to disable TLS v1.0, currently waiting for that to happen so I can re-try my PCI compliance scan.


There is a suggestion on this for the UTM (ideas.sophos.com/.../8039499-remove-support-for-tls-1-0-allow-it-to-be-disabled) but there wasn't one for the XG.  I added it if anyone cares to upvote it:

ideas.sophos.com/.../18624847-remove-support-for-tls-v1-0-and-insecure-cyphers-o

-Allan

Support got back to me today and told me how to manually edit the httpd file on the XG to remove the insecure cyphers (3DES mainly) and protocols (TLS 1.0 and 1.1).  While I was in there I also disabled Trace/Track which was failing me also.  I wrote a blog post about it here:  http://allandynes.com/2017/04/sophos-xg-firewall-pci-compliance-woes/ .

Long story short the TLS enable/disable will be added to the UI in v17 but only for 1.0 it seems, not 1.1 or the cyphers.  Also the changes I manually made to the httpd file will need to be done each time there is a firmware update which is a PITA.

But long story short I now pass my PCI compliance scans fully.

-Allan

Hi,

Did this feature make it into v 17?  If so , where can I make this change in the v 17 UI?

Cam

I haven't been able to find it.  And its been a year since I posted this now.  Apparently there isn't enough people complaining about it to get it added in properly to the UI.  My blog post is still accurate though as I had to do it on two v17 boxes.