Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 2 answers
  • Subscribers 4 subscribers
  • Views 20680 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSLv2 to TLS 1.2

RyanMiller

I was connected via SSL VPN and decided to sniff my traffic to see which encryption protocol was being used. To my dismay I saw that it is SSLv2.

This needs to change to at least TLS 1.1. How can this be done?

I have UTM 9.401-11.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Ryan,

    SSH to UTM and follow the step:

    Navigate to /var/chroot-smtp/etc/

    Open the exim.conf with vi: vi exim.conf

    Change(or add if missing) the line openssl_options to: openssl_options = +no_sslv3
    at the end of the section #TLS

    Note: Make sure that the values for tls_require_ciphers looks as follows before you save your changes:
    RC4+RSA:HIGH:!MD5:!ADH:!SSLv2

    Save your changes and close the editor: :wq

    Now restart the smtpd service by executing /var/mdw/scripts/smtp restart

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thats for he smtp service not the remote-access VPN settings.

  • 0 in reply to maxsecobj

    Hi,

    This cannot be changed. Open VPN will communicate on the parameter as in the attached screenshot.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    I found some interesting lines in the log.

     Line 1: DEPRECATED OPTION: --tls-remote, please update your configuration

    Line 3: library versions: OpenSSL 1.0.1p

    Is this something updated by Sophos through up2date and nothing can be changed manually by an administrator?

  • 0 in reply to RyanMiller

    Ryan, I'd be interested in knowing if adding tls-version-min 1.2 or-highest to both client and server config files would work. If you have a paid subscription, I wouldn't do that though.  If that doesn't work, it could be because the Sophos client is an older version, so you may need to download the new client from OpenVPN.  Let us know!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to RyanMiller

    Ryan, I'd be interested in knowing if adding tls-version-min 1.2 or-highest to both client and server config files would work. If you have a paid subscription, I wouldn't do that though.  If that doesn't work, it could be because the Sophos client is an older version, so you may need to download the new client from OpenVPN.  Let us know!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    From the log file....OpenVPN 2.3.8 and  OpenSSL 1.0.1p. Current OpenVPN version is 2.6 and this version does not appear to allow a custom config file.

    Looking at the man page it does appear that I must change the server config file to force TLS with a matching setting on the client.

Unfiltered HTML