Weak Ciphers in WAF

Hi all,

I tried to fix this with Sophos support, but as always the question was to hard. I hope you guys can help me with this. I have a UTM cluster running version 9.5.xx. I enabled the WAF option. Although the WAF is very limited in its options compared to other products, I am really missing one option. Being able to disable weak ciphers. We are a hosting party and we take security very seriously. There for we are looking to use the UTM as a loadbalancer and using all the WAF features available. All done that. No problem

When testing my test site against ssllabs.com I see that weak ciphers are used, and only TLS1.2 is used instead of TLS1.2 and higher. Sophos says we can't help you -goodbye-. Sorry but the product is just to expensive for an answer like that.

Now, I have read some articles about this on how to change the ciphers using the command line interface on the UTM. But I don't know exactly what file to modify, or what to put in it. Does anyone know how to achieve this the best way?

Greets,

Jeffrey

  • I extracted the reverseproxy.conf from the UTM. This is whats at the top of the file;

    SSLProtocol -all +TLSv1.2
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

    Can I just change it these lines?

  • In reply to Jeffrey Jaspers:

    Jeffrey, if you have a case open with Sophos Support, you should request escalation.  Please come back here and let us know the recommended solution.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    Thank you for the reply. I asked Sophos support and logged a case with them but their statement is that they don't support it. But in my opinion thats bull* because it can be changed they just won't tell me how to do it properly.

    Greets,

    Jeffrey

  • In reply to Jeffrey Jaspers:

    Hi Jeffrey,

    They are correct unfortunately, any change not possible by GUI or the CC commands are not persistent therefore not supported.

    You can modify that file and remove the ciphers you do not want to be available but this will not be recorded in the config. This means any changes you make in the GUI will overwrite the file changes and revert it back with the weak ciphers and you'll have to make the change again.

    Unless Support authorise you to make these changes, it will be an unsupported solution to the problem you have.

    This feature request is one you'll want to vote for:

    Sorry this is not what you want but i would recommend speaking to your account manager to ask them to contact prodman/SEs about the status of this feature request.

    Emile

  • In reply to EmileBelcourt:

    Guys, don't you remember when we were told to modify /var/chroot-reverseproxy/usr/apache/conf/httpd.conf to combat POODLE.  Those changes were not reversed by rebooting or making adjustments to WAF.  I can't believe a security issue like this is being ignored.  Please reopen your case and request escalation.  If you still run into a wall, PM me your case # and I'll get it to someone that will get it looked at by at least a level 2.

    Cheers - Bob

  • In reply to BAlfson:

    I'll re-open the case and ask for escalation. I'll let you know the outcome.

  • Hi  

    Emile has correctly mentioned the limitation. The Ciphers are located in reverseproxy.conf file hence it won't be persistent in a similar way as changes mentioned by Bob for httpd.conf

    I've voted for the feature request already and I encourage you to do that as well. And you should ask your account manager to get a status on this.

  • In reply to Jaydeep:

    Hi Jaydeep,

    For WAF, the ciphers are in /var/chroot-reverseproxy/usr/apache/conf/httpd.conf, and after we were told to modify that conf file, I don't recall folks having to redo the changes.  I suspect that that's because the changes were also done at Sophos before a major Up2Date might have replaced that file.

    NOTE about an hour later: As Emile points out below, it's another file in that same directory that contains the ciphers: reverseproxy.conf

    NOTE a day later: as Sabine points out below, the change should indeed be made in the httpd.conf file.  As Jaydeep mentions above, reverseproxy.conf changes are not persistent.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    Checked with a Customer i was onsite with today what they have to do and they have to modify the reverseproxy.conf file.

    The HTTPD.conf file, that apploes to the webadmin/user portal doesn't it? (or am i getting wires crossed).

    Emile

  • In reply to EmileBelcourt:

    Thanks, you're right, Emile, it is the reverseproxy.conf file, so I'll correct my post.

    If you look back at your notes on addressing POODLE, you'll see that we modified httpd.conf in the /var/chroot-reverseproxy/usr/apache/conf directory.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Folks!

    I am going to change this in my lab device to see when these Ciphers are reset. So I'll check a change in config first, then a reboot and then an update(now that it's available). I'll post my observations here.

  • In reply to Jaydeep:

    Hi JayDeep,

    Thank you for helping us out. I also voted for this to just be available in the GUI. Thanks to Bob and Douglas I know what to do. Im 100% sure we can get it to work and get it secure. But the big problem here is Sophos not supporting it. 

     

    !! It is a security problem not being fixed by a security company.

     

    Just frustrating.

  • In reply to Jeffrey Jaspers:

    Hello Jeffrey, I ran into exactly the same problem. Thank for sharing your insights.
    You wrote: " I know what to do. Im 100% sure we can get it to work and get it secure. "

    Are you willing to share the contents of the configuration file once you've altered and tested it?

    Thnx, Peter-Paul

  • In reply to Peter-Paul Gras:

    Hi Peter-Paul,

    To bad you ran into the same problem. I hope I can test it next week. I'll have to setup a testing environment first and of course my coworkers are on vacation... So you know how it is XD. I will definitly share this, whether it works or not.

  • In reply to BAlfson:

    Hi,

    it's possible to override the settings in the reverseproxy.conf at the end of the httpd.conf. The settings in httpd.conf aren't overwritten by config changes or reboot.

     

    Edit /var/chroot-reverseproxy/usr/apache/conf/httpd.conf:

    After the line 'Include conf/reverseproxy.conf' you can put for example:

    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL:!MD5:!DSS

     

    Restart the reverseproxy: /var/mdw/scripts/reverseproxy restart

     

    Best,

     Sabine