Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 2492 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSLv3 and TLSv1

bobw1959
Hi,

We got the following in a report back from our Auditors. Does anyone know if Astaro supports a higher level of encryption?

We have an ASG320 running version 7.305.

"31. The firewall supports the use of SSLv3 and TLSv1 56-bit key encryption. 

We suggest, if possible, stronger ciphers be required. See the following information for more details - www.openssl.org/docs/apps/ciphers.html."

Bob


This thread was automatically locked due to age.
  • 0
    Bob, Can we assume the quoted text comes from the auditors' report?  I'm tempted to say that they're confused, but it could be I who am ignorant.  

    In any case, if you are worried about VPNs or email, there are incredible levels of encryption available with the Astaro, and I doubt that yours would have been configured with 56-bit encryption of any sort.

    Can you give us the name of the company/product that examined the Astaro to reach that conclusion?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Thanks for the reply Bob. 

    You are correct in your assumption about the auditors, but I don't feel comfortable posting the name of their firm in a public forum nor do I know what product they used during the scan. To be honest, I don't even know what part of the firewall they were looking at when they came up with this. Possibly they were just scanning one of our https sites/addresses? I do know we have much stronger encryption on the SSLVPN portion and that I personally have no worries as to the strength of the ciphers or security of the Astaro product. 

    I guess what I'm really after is an employee of Astaro to write something up indicating that it's not a supported option to add/change ciphers per the openssl.org site listed in the original post as I feel that would appease the auditors. They do say "if possible" after all! I have opened a support ticket asking for that very thing but have yet to receive a response.

    Thanks again

    Bob
  • 0 in reply to bobw1959
    Our auditors pointed out something similar on HTTPS.

    Note that "supports weak encryption" and "only supports weak encryption" are NOT the same things.

    Barry
  • 0 in reply to BarryG
    Check in an email header for a line like the following:
    (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);

    That should put the auditors' minds at ease!

    After all, the Astaro can only work with what it's sent...

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA