Sophos Firewall: WAF and claimed weak ciphers

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Here is the response from the development and security team here at Sophos regarding cipher list available in the Sophos Firewall for WAF:

Strong ciphers

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)

Weak ciphers

• Because CBC is used
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)

• Because SHA1 is used (in addition to CBC)
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)

• Because no forward secrecy is offered (some also use CBC and/or SHA1)
  • TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
  • TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
  • TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
  • TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
  • TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
  • TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)

Regarding when "CBC is used"

According to the security team: "CBC being offered is ok as long as its a strong cipher. That is no 3DES ciphers offered". All offered ciphers are strong is this regard (e.g. no 3DES is offered).

Conclusion: Leave it as it is

Regarding "SHA1 is used"

This is considered OK because SHA1 is used as HMAC-SHA1 which is not broken (unlike pure SHA1). All offered ciphers are strong in this regard.

Security team: "While SHA1 is broken, HMAC-SHA1 is not broken. Assuming that the HMAC key is not known to the attacker, HMAC-SHA1 is not susceptible to the same collision attacks that SHA1 is. If the attacker has the HMAC key, he has broken HMAC itself, no matter if it is HMAC-SHA1 or HMAC-SHA2."

Conclusion: Leave it as it is

Regarding "no forward secrecy is offered"

The overall SSL Labs rating does not change if the non-forward secrecy ciphers are removed.

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL:!MD5:!DSS

Less capable clients will lose support if the non-forward secrecy ciphers are removed. Clients that support forward secrecy will prefer the forward secrecy ciphers anyway.

Conclusion: Leave it as is, as it has no impact on clients that support forward secrecy but widens the support for less capable clients

As you can see if you remove the CBC ciphers from the list, you are limiting the client pool that can connect to your WAF instance.  You must also ensure that the default WAF settings for the TLS version has not been altered from TLS1.0.  Doing so will override the SSL settings configured in the file listed below.

• If you would like to remove various ciphers, the file to edit is located here: /usr/apache/conf/httpd.conf
• You need to put the system into read/write mode: mount -no remount, rw /
• Then edit the above file with VI and locate the following line: Include /cfs/waf/reverseproxy.conf: 

The above line is normally located at the end of the file.

• Add your own SSLProtocol and SSLCipherSuite options here. Make sure that you follow the syntax specified by Apache and OpenSSL. For more information, you can refer to the Apache documentation at mod_ssl - Apache HTTP Server Version 2.4 and mod_ssl - Apache HTTP Server Version 2.4

• Save the file.

• Put the filesystem back to read-only mode: mount -no remount, ro /

• Restart WAF for the changes to take effect: service -ds nosync waf:restart

Note: that when WAF is set to use TLS1.2, 3DES ciphers are not offered to the client.

I hope this answers everyone's question surrounding this.