While reviewing the TLS cipher suites in use on our network, we noticed that our Sophos XG firewalls used a less than ideal set of defaults, and got ahead on implementing the suggestions described in KB-000045458. However, it seems that since the article was published, Mozilla has updated the recommended cipher suites.
| Recommended Cipher Suites | |
| KB-000045458 | ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305-SHA256:DHE-RSA-AES256-CCM-8:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM-8:DHE-RSA-AES128-CCM |
| Mozilla | ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 |
The Mozilla SSL configuration generator also recommends disabling SSLHonorCipherOrder, along with SSLSessionTickets. Based on the version of Apache and OpenSSL, it should also be possible to enable TLSv1.3 for these portals, but we stopped short of trying this ourselves.
Besides these recommendations by Mozilla, this article has not been updated since the introduction of the dedicated VPN portal, meaning it misses configuring “vpnportal.conf” and thus leaves weak ciphers in use. Finally, the “Sophos Firewall: WAF cipher suites and claimed weak ciphers” link under “Related information” now goes to a 404, and should be removed.
