This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Weak Ciphers in WAF

Hi all,

I tried to fix this with Sophos support, but as always the question was to hard. I hope you guys can help me with this. I have a UTM cluster running version 9.5.xx. I enabled the WAF option. Although the WAF is very limited in its options compared to other products, I am really missing one option. Being able to disable weak ciphers. We are a hosting party and we take security very seriously. There for we are looking to use the UTM as a loadbalancer and using all the WAF features available. All done that. No problem

When testing my test site against ssllabs.com I see that weak ciphers are used, and only TLS1.2 is used instead of TLS1.2 and higher. Sophos says we can't help you -goodbye-. Sorry but the product is just to expensive for an answer like that.

Now, I have read some articles about this on how to change the ciphers using the command line interface on the UTM. But I don't know exactly what file to modify, or what to put in it. Does anyone know how to achieve this the best way?

Greets,

Jeffrey



This thread was automatically locked due to age.
Parents
  • I extracted the reverseproxy.conf from the UTM. This is whats at the top of the file;

    SSLProtocol -all +TLSv1.2
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

    Can I just change it these lines?

  • Jeffrey, if you have a case open with Sophos Support, you should request escalation.  Please come back here and let us know the recommended solution.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Thank you for the reply. I asked Sophos support and logged a case with them but their statement is that they don't support it. But in my opinion thats bull* because it can be changed they just won't tell me how to do it properly.

    Greets,

    Jeffrey

  • Hi Jeffrey,

    They are correct unfortunately, any change not possible by GUI or the CC commands are not persistent therefore not supported.

    You can modify that file and remove the ciphers you do not want to be available but this will not be recorded in the config. This means any changes you make in the GUI will overwrite the file changes and revert it back with the weak ciphers and you'll have to make the change again.

    Unless Support authorise you to make these changes, it will be an unsupported solution to the problem you have.

    This feature request is one you'll want to vote for:

    Sorry this is not what you want but i would recommend speaking to your account manager to ask them to contact prodman/SEs about the status of this feature request.

    Emile

  • Guys, don't you remember when we were told to modify /var/chroot-reverseproxy/usr/apache/conf/httpd.conf to combat POODLE.  Those changes were not reversed by rebooting or making adjustments to WAF.  I can't believe a security issue like this is being ignored.  Please reopen your case and request escalation.  If you still run into a wall, PM me your case # and I'll get it to someone that will get it looked at by at least a level 2.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I'll re-open the case and ask for escalation. I'll let you know the outcome.

Reply Children
No Data