This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Weak Ciphers in WAF

Hi all,

I tried to fix this with Sophos support, but as always the question was to hard. I hope you guys can help me with this. I have a UTM cluster running version 9.5.xx. I enabled the WAF option. Although the WAF is very limited in its options compared to other products, I am really missing one option. Being able to disable weak ciphers. We are a hosting party and we take security very seriously. There for we are looking to use the UTM as a loadbalancer and using all the WAF features available. All done that. No problem

When testing my test site against ssllabs.com I see that weak ciphers are used, and only TLS1.2 is used instead of TLS1.2 and higher. Sophos says we can't help you -goodbye-. Sorry but the product is just to expensive for an answer like that.

Now, I have read some articles about this on how to change the ciphers using the command line interface on the UTM. But I don't know exactly what file to modify, or what to put in it. Does anyone know how to achieve this the best way?

Greets,

Jeffrey



This thread was automatically locked due to age.
Parents
  • Hi  

    Emile has correctly mentioned the limitation. The Ciphers are located in reverseproxy.conf file hence it won't be persistent in a similar way as changes mentioned by Bob for httpd.conf

    I've voted for the feature request already and I encourage you to do that as well. And you should ask your account manager to get a status on this.

    Regards

    Jaydeep

  • Hi Jaydeep,

    For WAF, the ciphers are in /var/chroot-reverseproxy/usr/apache/conf/httpd.conf, and after we were told to modify that conf file, I don't recall folks having to redo the changes.  I suspect that that's because the changes were also done at Sophos before a major Up2Date might have replaced that file.

    NOTE about an hour later: As Emile points out below, it's another file in that same directory that contains the ciphers: reverseproxy.conf

    NOTE a day later: as Sabine points out below, the change should indeed be made in the httpd.conf file.  As Jaydeep mentions above, reverseproxy.conf changes are not persistent.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Checked with a Customer i was onsite with today what they have to do and they have to modify the reverseproxy.conf file.

    The HTTPD.conf file, that apploes to the webadmin/user portal doesn't it? (or am i getting wires crossed).

    Emile

  • Thanks, you're right, Emile, it is the reverseproxy.conf file, so I'll correct my post.

    If you look back at your notes on addressing POODLE, you'll see that we modified httpd.conf in the /var/chroot-reverseproxy/usr/apache/conf directory.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Folks!

    I am going to change this in my lab device to see when these Ciphers are reset. So I'll check a change in config first, then a reboot and then an update(now that it's available). I'll post my observations here.

    Regards

    Jaydeep

Reply Children
  • Hi JayDeep,

    Thank you for helping us out. I also voted for this to just be available in the GUI. Thanks to Bob and Douglas I know what to do. Im 100% sure we can get it to work and get it secure. But the big problem here is Sophos not supporting it. 

     

    !! It is a security problem not being fixed by a security company.

     

    Just frustrating.

  • Hello Jeffrey, I ran into exactly the same problem. Thank for sharing your insights.
    You wrote: " I know what to do. Im 100% sure we can get it to work and get it secure. "

    Are you willing to share the contents of the configuration file once you've altered and tested it?

    Thnx, Peter-Paul

     
    SFVH (SFOS 20.0.0 GA-Build222) - Last (re)boot on November 6th  2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • Hi Peter-Paul,

    To bad you ran into the same problem. I hope I can test it next week. I'll have to setup a testing environment first and of course my coworkers are on vacation... So you know how it is XD. I will definitly share this, whether it works or not.