Disable TLS 1.0 on Web Application Firewall

Question

I have an Exchange server published by the Web Application Firewall, which works pretty well save for a few issues. A big problem is that the Web Application Firewall supports TLS 1.0 and as a result, we are getting dinged on PCI scans. I have disabled support for TLS 1.0 on the server itself. Is there a way to disable it on the WAF?

This thread was automatically locked due to age.

Vels · Accepted Answer

Hi, This has had a lot of attention the past 1-2 years and I actually thought it should have been disabled from version 9.4. Except for the CLI method, only way I can think of is to DNAT instead (as you already fixed the Exchange IIS), until this is officially fixed. However, you can disable it in the CLI - but it will likely void your warranty if you are a paying customer, in that case you are likely better of having support do it for you. There is a guide for the WAF here also with a reference to another blog for webadmin etc : http://utdream.org/post.cfm/how-to-disable-tlsv1-on-sophos-utm9-waf-for-pci > QUOTE < After (a lot) of digging, I found that the sites running behind the Sophos WAF do so through the Sophos Service "reverseproxy". This is the service we need to edit to remove TLSv1 support. The above documentation talks about hwo to go about logging into the command line on a Sophos UTM9, so I won't repeat it. Once you're logged in, you'll need to run the following commands: sudo vim /var/storage/chroot-reverseproxy/usr/apache/conf/httpd.conf Update these to lines: SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS #SSLProtocol all -SSLv2 -SSLv3 to this SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AES:!ADH:!AECDH:!MD5:!DSS:!3DES SSLProtocol +TLSv1.1 +TLSv1.2 The restart the 'reverseproxy" service with the following command: sudo /var/mdw/scripts/reverseproxy restart Check that you can no longer acccess your site using TLSv1 with the following command (updating it with your own domain name): openssl s_client -connect utdream.org:443 -tls1 You'll get a handshake failed error if TLSv1 has been properly disabled: SSL handshake has read 0 bytes and written 0 bytes >/QUOTE<

sachingurung · Answer

Hi NickTria, 
 We have disabled the TLS1.0 from v9.5 and this will be covered under NUTM-5056. It will be then possible to configure the minimal TLS version that is allowed for connections to WAF. I think there will be a GUI option to configure the TLS version use. 
 Thanks