Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 1 subscriber
  • Views 2620 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SEC 5.5.1 - won't start if TLS 1.0 is disabled

David Lewis1

Hi,

 

 We upgraded our Sophos SEC instance from 5.5.0 to 5.5.1 to support TLS 1.2. The database is on dedicated SQL server which supports TLS 1.2.

 

When we disable TLS 1.0 (client/server) on the Sophos SEC server, the application cannot start.

 

We saw online that Sophos looks for the explicit registry settings defining TLS 1.2 client/server as enabled and TLS 1.0/1.1 client/server disabled before it uses TLS 1.2. (

https://community.sophos.com/kb/en-us/127521)

 

We added these registry settings this morning, rebooted and Sophos cannot start again.  It starts once we re-enable TLS 1.0 client/server on Sophos SEC server.

 

How should we proceed?

 

Thanks,

David

 



This thread was automatically locked due to age.
  • 0

    We were able to get the Sophos Enterprise Console to load with just TLS 1.2 enabled by doing the following:

     

    C:\sec_551\serverinstaller\checkdbconnection> .\CheckDBConnection.exe -s <SQL Server> -t onfce -c –a  (This –a flag tells the program to change the Db connection settings for Sophos).

     

    Hope this helps someone in the Interwebs.

    David

  • 0

    This helped me, thanks.  But I found that the command fails unless I have explicitly enabled TLS 1.0.  With that enabled, I successfully ran the command and saw the message:  Encrypted connection to the SQL Server is established.  Now that the connection config has been updated, I disabled TLS 1.0 but subsequent start of SQL Server fails again.  So apparently, I have to leave 1.0 enabled in order for Sophos SQL to use 1.2...

    It's great that Sophos will use TLS 1.2 but the point is to be able to disable TLS 1.0 and 1.1 altogether, right?  Am I missing something else because this improves security of Sophos while still leaving my server vulnerable to TLS 1.0  

Unfiltered HTML