This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Updated Sophos Enterprise console from 5.4.0 to 5.4.1 but TLS 1.2 isn't being used?

I successfully updated the sophos Enterprise Console to version 5.4.1 to take advantage of TLS 1.2.  However, four days after doing the upgrade I can still see the endpoints communicating to the server on port 8194 using TLS v1.0.  All the endpoints are running version 10.6.3 and RMS 4.0.6 and show 'up to date' in the sophos enterprise console.  Does anyone know why the endpoints are still using TLS v1.0 and what do I need to do to get them to start communicating over TLS 1.2 on port 8194?  

Thank you your time.



This thread was automatically locked due to age.
Parents
  • Hello Matt Hynes,

    I can still see the endpoints communicating to the server on port 8194 using TLS v1.0.
    how did you find out (not that I doubt your words)? Are you referring to the TLSv1.0 in the endpoint's Client Hello 0x160301? As far as I can see RMS for SEC 5.4.1 responds with TLSv1.2 (0x160303) in the Server Hello and Server Hello Done
    messages and subsequently TLSv1.2 is used (so the Application Data messages start with 0x170303).
    Keep in mind that the RMS communication is not intended for general interoperability but uses standard libraries. Thus it's not necessary to negotiate the protocol, the endpoint advertises 1.0, SEC 5.4.1 and above force 1.2, clients with RMS 4 accept this "protocol version upgrade".

    Christian

  • Hello Christian,

    We use a 3rd party tool to scan for security vulnerabilities on a regular basis.  Before I upgraded to 5.4.1 the scan reported port 8194 supported TLS v1.0.  I opened a support request with Sophos and they said to resolve this we need to upgrade to SEC 5.4.1.  After the upgrade to 5.4.1 I ran another scan and it's reporting the same vulnerability, port 8194 supports TLS v1.0.  

    If I'm understanding you correctly, what I'm seeing in the vulnerability scan is the endpoint advertising TLS 1.0 but SEC forces TLS v1.2?  Is there any way to require the endpoints to advertise TLS v1.2?  Or is it possible this could change with the release of 10.6.4?

    I appreciate your help!

  • Hello Matt,

    I'm not Sophos and all I say is derived from observation only (and maybe a little bit of thinking). Port 8194 in the server should force TLSv1.2, the endpoints will (for now) continue to advertise 1.0 (there still very old consoles, even SCC, some are not capable of upgrading to the latest SUM and the associated RMS) and will accept (as one can see from the logs) TLSv1.0 and v1.1.
    This is not a very serious issue though - as said, this is not a general communication path. The client checks the certificates it has obtained on a different channel (cac.pem) so it won't accept arbitrary connections, v1.2 vs. previous versions is more a question of robust cipher suites and signing hashes. In addition RMS doesn't solely rely on transmission security.
    The message in the router logs suggest that acceptance of older TLS versions (by the client) is explicitly mentioned, guess it can already be disabled - if you have strict compliance rules Support might tell you how.

    Christian

  • Hello Matt,

    I've missed an important point - the downstream connection from server to the endpoint's 8194. So as far as TLS is concerned the endpoint is the server and if presented with a v1.0 or v1.1 Client Hello it'll likely accept it. Everything else still applies though.

    I have to compensate for this blunder: HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\, new DWORD LegacyProtocolSupport, set to 0.

    Christian

Reply
  • Hello Matt,

    I've missed an important point - the downstream connection from server to the endpoint's 8194. So as far as TLS is concerned the endpoint is the server and if presented with a v1.0 or v1.1 Client Hello it'll likely accept it. Everything else still applies though.

    I have to compensate for this blunder: HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\, new DWORD LegacyProtocolSupport, set to 0.

    Christian

Children
  • Interesting, did you add this registry entry on your SEC 5.4.1 server and test it?  I'm wondering if there is a log on the server that confirms TLS v1.2 is being used to communicate?  

  • Hello Matt,

    I've found this value on the server, it's likely set during install and this is why the server force TLSv1.2. Set the value on and endpoint and ... keeping legacy compatibility ... message no longer appears in the router log.

    Did some more tracing: Both server and endpoint still advertise TLSv1.0 in their Client Hello, even when the mentioned value is set. And whether set not not the Server Hello (both from SEC and the endpoint) requests TLSv1.2. So it doesn't seem to have an effect - at least as the TLS version goes. I didn't check the cipher suites though.
    Question is how the 3rd-party tool comes to the conclusion that TLSv1.0 is used.

    Christian

  • I'm not sure how the compliance scanning software determines port 8194 is enabled for TLS v1.0.  I contacted Sophos support and sent them the logs from my workstation since it failed the compliance scan for port 8194.  Hopefully there's a way for them to validate that TLS v1.2 is in fact being used.  

  • Hello Matt,

    auditors are auditors, use auditors' tools, and their tools' output (maybe in conjunction with a cheat sheet) determines the result. 
    I'm pretty sure v1.2 is used - but even if Sophos confirms this it likely won't help if the tool ...

    Christian