Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 8 subscribers
  • Views 27839 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disable TLS 1.0 on Web Application Firewall

NickT

I have an Exchange server published by the Web Application Firewall, which works pretty well save for a few issues.  A big problem is that the Web Application Firewall supports TLS 1.0 and as a result, we are getting dinged on PCI scans.  I have disabled support for TLS 1.0 on the server itself.  Is there a way to disable it on the WAF?



This thread was automatically locked due to age.
  • +1

    Hi,

    This has had a lot of attention the past 1-2 years and I actually thought it should have been disabled from version 9.4.

    Except for the CLI method, only way I can think of is to DNAT instead (as you already fixed the Exchange IIS), until this is officially fixed.

    However, you can disable it in the CLI - but it will likely void your warranty if you are a paying customer, in that case you are likely better of having support do it for you.

    There is a guide for the WAF here also with a reference to another blog for webadmin etc : http://utdream.org/post.cfm/how-to-disable-tlsv1-on-sophos-utm9-waf-for-pci

    > QUOTE <

    After (a lot) of digging, I found that the sites running behind the Sophos WAF do so through the Sophos Service "reverseproxy". This is the service we need to edit to remove TLSv1 support.

    The above documentation talks about hwo to go about logging into the command line on a Sophos UTM9, so I won't repeat it. Once you're logged in, you'll need to run the following commands:

    sudo vim /var/storage/chroot-reverseproxy/usr/apache/conf/httpd.conf

    Update these to lines:

    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS
#SSLProtocol all -SSLv2 -SSLv3

    to this

    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AES:!ADH:!AECDH:!MD5:!DSS:!3DES
SSLProtocol +TLSv1.1 +TLSv1.2

    The restart the 'reverseproxy" service with the following command:

    sudo /var/mdw/scripts/reverseproxy restart

    Check that you can no longer acccess your site using TLSv1 with the following command (updating it with your own domain name):

    openssl s_client -connect utdream.org:443 -tls1

    You'll get a handshake failed error if TLSv1 has been properly disabled:

    SSL handshake has read 0 bytes and written 0 bytes

    >/QUOTE<
  • +1

    Hi NickTria, 

    We have disabled the TLS1.0 from v9.5 and this will be covered under NUTM-5056. It will be then possible to configure the minimal TLS version that is allowed for connections to WAF. I think there will be a GUI option to configure the TLS version use.

    Thanks

  • 0 in reply to sachingurung

    The firewall is running 9.411 and is still getting dinged for TLS 1.0.  I am able to confirm this by running the following NMAPcommand.

    nmap --script ssl-enum-ciphers host.domain.com

    It shows that it is able to establish a connection using TLS 1.0.  If I turn off the WAF and use a DNAT, NMAP is not able to establish a connection with TLS 1.0.

  • 0 in reply to NickT

    I am editing my previous suggestion as per a latest update.

  • 0

    From another thread in this forum:

    UTM 9.5 coming soon

    Web Application Firewall:

    WAF TLS version allows the option to specify the required TLS version required for a virtual server, which enables PCI compliance by excluding TLS1.0

    So I suggest you get excited about UTM 9.5 ;-)

  • 0 in reply to ewadie

    Hard to get too excited before I even get invited to the closed beta. [;)]

    Cheers - Bob