Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 24 replies
  • Subscribers 7 subscribers
  • Views 14707 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Weak Ciphers in WAF

Jeffrey Jaspers

Hi all,

I tried to fix this with Sophos support, but as always the question was to hard. I hope you guys can help me with this. I have a UTM cluster running version 9.5.xx. I enabled the WAF option. Although the WAF is very limited in its options compared to other products, I am really missing one option. Being able to disable weak ciphers. We are a hosting party and we take security very seriously. There for we are looking to use the UTM as a loadbalancer and using all the WAF features available. All done that. No problem

When testing my test site against ssllabs.com I see that weak ciphers are used, and only TLS1.2 is used instead of TLS1.2 and higher. Sophos says we can't help you -goodbye-. Sorry but the product is just to expensive for an answer like that.

Now, I have read some articles about this on how to change the ciphers using the command line interface on the UTM. But I don't know exactly what file to modify, or what to put in it. Does anyone know how to achieve this the best way?

Greets,

Jeffrey



This thread was automatically locked due to age.
Parents
  • 0

    Hi Folks,

    I think Sabine has posted a proper solution. Now in order to apply it on the UTM9, for Home devices, it should not be an issue. For licensed UTM9, it'd be better if it's discussed with the Account manager or Support first before doing these changes. I'll check if this information can be used in a Public article.

    Regarding changes I did my lab device, it was reverted with Change in the config, also with a reboot. I could not check with a firmware update but that's obvious that it will not stay persistent.

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    Hi JayDeep,

    Thank you for testing this for us. Your answer really helps me/us. I was wondering. You say the config changes back, but could we get around this using a cron job? for example, place the modified file on a location where it wouldn't be overwritten, and after every reboot replace the original file and restart the WAF service.

     

    Greets,

    Jeffrey

  • 0 in reply to Jeffrey Jaspers

    That would help after a restart. But what about the changes you do in the config? I guess it's not possible to do a cronjob for that. Sabine has suggested a proper fix which is persistent over the changes we would attempt. Would you be able to try that and see if that helps? Please post any difficulties you face.

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    JayDeep,

     

    Thank you again. I'm setting up my testing environment as we speak. I'll keep you informed.

     

    Greets,

    Jeffrey

Reply Children
No Data
Unfiltered HTML