This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM Up2Date 9.506 Released

9.506 is released.

Maybe we could use this thread for reporting successful updated system and maybe not so many bugs. Who wants to be first to update? :-)



This thread was automatically locked due to age.
Parents
  • Updated HA-Cluster (SG230), no issues till now. Using proxy standard mode with AD, some IPSEC, REDs, mail protection.

    -

  • I have updated our production UTM for the last few days and no issues to report whatsoever. 

     

    My home UTMs have been working fine too.

  • Thanks for the link. On the same page I found this: (translated from German by Google)

    "Attention, there are problems in HA mode in the ESXi environment. After updating from 9.505-4 to 9.506-2, certain VM servers (the VMs running on the same host where the Passive UTM VM was running) were no longer accessible on the network! Only after shutting down the "passive" node were they suddenly reachable again. Rebuilding the HA did not help. I had to rest again on 9.505-4, then everything went OK again. I wait for the first time 1-2 updates, then we'll see :)"

  • I posted the following workaround there that might work.  This applies to VMs in HA running on the same host.

    How to resolve issues with Virtual UTMs configured for High Availability:
     1. Login to the UTM console as root.
     2. Enter the following command to determine if HA virtual_mac is enabled:
              cc get ha advanced virtual_mac
     3. If the output is 1, you can disable it by entering the following:
              cc set ha advanced virtual_mac 0
     4. Restart all virtual UTMs.

    Please let us know if this worked.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • WAF is broken for me.

     

    It affects Windows 7 clients using Outlook 2010 connecting to Exchange 2010. 

    Other combinations like Windows 10, or Outlook 2013 work fine.

    TLS 1 is required somewhere in this chain.

     

    9.505-4 added a TLS Verion dropdown that allowed you to pick you Min. TLS level.

    9.506-2 removed the option.

    I have an open support ticket, do not have a work around yet.

     

    I was sent this as a workaround:

    https://community.sophos.com/products/unified-threat-management/f/general-discussion/89791/disable-tls-1-0-on-web-application-firewall/325726

     

    It doesn't seem to apply since the lines Sophos references to change no longer exist in the file.

    Hope this helps,

    Ron

  • Latest Update from Sophos Support.

    If I understood correctly.

    TLS 1 support has been removed.

  • Ron, what does the following give you?

    cc get reverse_proxy min_tls

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • After you do: cc set reverse_proxy min_tls 1

    Check the result with: grep SSLProtocol /var/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf

    Now is WAF still "broken" for that one situation?

    Note that this probably is not supported and that you should upgrade your software to eliminate its dependence on TLSv1.  After upgrading, use the trick above to set the value back to 1.1.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • TLS 1.0 and TLS 1.1 are no longer considered safe encryption technologies, so this should not be a surprise.   However, the change should have been in the release notes.   I have complained about this before.

    I infer that your problem is on the client side, since you said the problem only affects Windows 7.   Windows 7 shipped with TLS 1.0 installed but not enabled, for reasons that defy explanation.   You can turn it on by GPO or manually within Internet Options.

    Reconfiguring your clients is a better idea than decreasing UTM security, but you can probably re-enable TLS 1.0 and TLS 1.1 by editing this file:

    /var/chroot-reverseproxy/usr/apache/conf/httpd.conf

    Change this line:

    SSLProtocol +TLSv1.2
    to
    SSLProtocol +TLSv1.0 +TLSv1.1 +TLSv1.2

    Note1:   Never enable TLS1.0 without also enabling TLS1.1    The session compatibility search functions do not like gaps in the search sequence.

    Note 2:  I also recollect that Exchange 2010 had a problem with SMTP supporting nothing higher than TLS 1.0, but I believe it was corrected in one of the Exchange cumulative updates, because my configuration is connecting with TLS 1.2.  

  • Doug, if you look at my last post above, you'll see that this line is no longer in httpd.conf, but in reverseproxy.conf.  Unfortunately, that gets rewritten too often.  Also, if min_tls is 1.1 as Ron says, that line will look like SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2  after the cc set I mentioned.

    That said, I admit that I didn't read his post closely enough to had your insight about the client.  I bet that's the best solution.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I think I found the minimum TLS version setting, its been moved to the Web Application Firewall-Advanced tab.  I'm still seeing the option for TLS v1 or higher.  When I run cc get reverse_proxy min_tls it returns 1.

     

    Thanks.   -Steve

Reply Children
  • Steve,

    Thanks a bunch for finding that!

    Not as cool as per server, but I can live with it.

     

    Ron

  • Just what I was looking for. I would prefer that we could set it per Virtual Web Server as before. Having it be a global setting makes all of the WAF servers insecure vs the one that still need to provide downlevel support.

     

    Eliminating 1.0 prevented users on Android versions lower than 4.4 unable to connect to our systems. It also an older .net app we were using, but that needed to be remediated anyways. Still would have been nice to see a little bit more explanation around the changes in the change log. This entry in the release notes is a bit vague, not indicating the changes:

     

    NUTM-8806 [WAF] Issue with TLS settings for virtual webserver

  • Rant begin:

    I asked Support for more detail about a couple of these "Nutn" entries in the release notes and all they could do is point me back to the release notes.  

    In a year or two, perhaps details will appear in the known issues list for this release, since the K.I.L. never seems to have current data.

    Sophos does not seem to nderstand what a system manager needs and expects in a  release notes document.

    Rant End