Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 8 subscribers
  • Views 27840 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disable TLS 1.0 on Web Application Firewall

NickT

I have an Exchange server published by the Web Application Firewall, which works pretty well save for a few issues.  A big problem is that the Web Application Firewall supports TLS 1.0 and as a result, we are getting dinged on PCI scans.  I have disabled support for TLS 1.0 on the server itself.  Is there a way to disable it on the WAF?



This thread was automatically locked due to age.
Parents
  • +1

    Hi,

    This has had a lot of attention the past 1-2 years and I actually thought it should have been disabled from version 9.4.

    Except for the CLI method, only way I can think of is to DNAT instead (as you already fixed the Exchange IIS), until this is officially fixed.

    However, you can disable it in the CLI - but it will likely void your warranty if you are a paying customer, in that case you are likely better of having support do it for you.

    There is a guide for the WAF here also with a reference to another blog for webadmin etc : http://utdream.org/post.cfm/how-to-disable-tlsv1-on-sophos-utm9-waf-for-pci

    > QUOTE <

    After (a lot) of digging, I found that the sites running behind the Sophos WAF do so through the Sophos Service "reverseproxy". This is the service we need to edit to remove TLSv1 support.

    The above documentation talks about hwo to go about logging into the command line on a Sophos UTM9, so I won't repeat it. Once you're logged in, you'll need to run the following commands:

    sudo vim /var/storage/chroot-reverseproxy/usr/apache/conf/httpd.conf

    Update these to lines:

    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS
#SSLProtocol all -SSLv2 -SSLv3

    to this

    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AES:!ADH:!AECDH:!MD5:!DSS:!3DES
SSLProtocol +TLSv1.1 +TLSv1.2

    The restart the 'reverseproxy" service with the following command:

    sudo /var/mdw/scripts/reverseproxy restart

    Check that you can no longer acccess your site using TLSv1 with the following command (updating it with your own domain name):

    openssl s_client -connect utdream.org:443 -tls1

    You'll get a handshake failed error if TLSv1 has been properly disabled:

    SSL handshake has read 0 bytes and written 0 bytes

    >/QUOTE<
Reply
  • +1

    Hi,

    This has had a lot of attention the past 1-2 years and I actually thought it should have been disabled from version 9.4.

    Except for the CLI method, only way I can think of is to DNAT instead (as you already fixed the Exchange IIS), until this is officially fixed.

    However, you can disable it in the CLI - but it will likely void your warranty if you are a paying customer, in that case you are likely better of having support do it for you.

    There is a guide for the WAF here also with a reference to another blog for webadmin etc : http://utdream.org/post.cfm/how-to-disable-tlsv1-on-sophos-utm9-waf-for-pci

    > QUOTE <

    After (a lot) of digging, I found that the sites running behind the Sophos WAF do so through the Sophos Service "reverseproxy". This is the service we need to edit to remove TLSv1 support.

    The above documentation talks about hwo to go about logging into the command line on a Sophos UTM9, so I won't repeat it. Once you're logged in, you'll need to run the following commands:

    sudo vim /var/storage/chroot-reverseproxy/usr/apache/conf/httpd.conf

    Update these to lines:

    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS
#SSLProtocol all -SSLv2 -SSLv3

    to this

    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AES:!ADH:!AECDH:!MD5:!DSS:!3DES
SSLProtocol +TLSv1.1 +TLSv1.2

    The restart the 'reverseproxy" service with the following command:

    sudo /var/mdw/scripts/reverseproxy restart

    Check that you can no longer acccess your site using TLSv1 with the following command (updating it with your own domain name):

    openssl s_client -connect utdream.org:443 -tls1

    You'll get a handshake failed error if TLSv1 has been properly disabled:

    SSL handshake has read 0 bytes and written 0 bytes

    >/QUOTE<
Children
No Data