How do I disable some cipher suites in Webserver Protection?

After running an SSL check for one of our sites, which is served by our UTM, it turned up that we have 3 weak ciphers being supported by the UTM:

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA _0xc012_ ECDH secp256r1 _eq. 3072 bits RSA_ FS WEAK 112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA _0x16_ DH 2048 bits FS WEAK 112
TLS_RSA_WITH_3DES_EDE_CBC_SHA _0xa_ WEAK 112

How do I disable these ciphers?

  • In reply to BAlfson:

    RE: "I don't think deleting the policies deletes the underlying ciphers and DH groups."

    The system allows you to roll your own IPSEC policies from the component parts, and the components are fixed lists, so I cannot imagine that the components would be deleted either.  But the policies are what is available for offer to an IPSEC connection, so removing the policy should be sufficient for the PCI complaint, at least for the ones that the system will permit to be removed.

  • In reply to DouglasFoster:

    Some of those hits in the scan were for non-existent combinations in the policies I see here, Doug, e.g., 3DES/SHA/DH-Group-5.

    Cheers - Bob

  • In reply to DouglasFoster:

    So the long story short is if you enable the 'Strict Policy' option on the IPSec policy it resolves the issue. Why that isn't by default, I have no idea. And why the Sophos will respond to IPSec policies that aren't even listed in profiles, and in fact claim to be disabled entirely in the config files under the hood, Sophos support doesn't know.

    I did my own scanning to verify and found that without the 'Strict Policy' option enabled the Sophos will respond to and negotiate a SA with the following:

     

    Encryption

    Hash

    DH group

    Blowfish

    MD5

    1

    Blowfish

    MD5

    2

    Blowfish

    MD5

    5

    Blowfish

    MD5

    14

    Blowfish

    SHA1

    1

    Blowfish

    SHA1

    2

    Blowfish

    SHA1

    5

    Blowfish

    SHA1

    14

    Blowfish

    SHA2-256

    1

    Blowfish

    SHA2-256

    2

    Blowfish

    SHA2-256

    5

    Blowfish

    SHA2-256

    14

    Blowfish

    SHA2-384

    1

    Blowfish

    SHA2-384

    2

    Blowfish

    SHA2-384

    5

    Blowfish

    SHA2-384

    14

    Blowfish

    SHA2-512

    1

    Blowfish

    SHA2-512

    2

    Blowfish

    SHA2-512

    5

    Blowfish

    SHA2-512

    14

    3DES

    MD5

    1

    3DES

    MD5

    2

    3DES

    MD5

    5

    3DES

    MD5

    14

    3DES

    SHA1

    1

    3DES

    SHA1

    2

    3DES

    SHA1

    5

    3DES

    SHA1

    14

    3DES

    SHA2-256

    1

    3DES

    SHA2-256

    2

    3DES

    SHA2-256

    5

    3DES

    SHA2-256

    14

    3DES

    SHA2-384

    1

    3DES

    SHA2-384

    2

    3DES

    SHA2-384

    5

    3DES

    SHA2-384

    14

    3DES

    SHA2-512

    1

    3DES

    SHA2-512

    2

    3DES

    SHA2-512

    5

    3DES

    SHA2-512

    14

    AES128

    MD5

    1

    AES128

    MD5

    2

    AES128

    MD5

    5

    AES128

    MD5

    14

    AES128

    SHA1

    1

    AES128

    SHA1

    2

    AES128

    SHA1

    5

    AES128

    SHA1

    14

    AES128

    SHA2-256

    1

    AES128

    SHA2-256

    2

    AES128

    SHA2-256

    5

    AES128

    SHA2-256

    14

    AES128

    SHA2-384

    1

    AES128

    SHA2-384

    2

    AES128

    SHA2-384

    5

    AES128

    SHA2-384

    14

    AES128

    SHA2-512

    1

    AES128

    SHA2-512

    2

    AES128

    SHA2-512

    5

    AES128

    SHA2-512

    14

    AES192

    MD5

    1

    AES192

    MD5

    2

    AES192

    MD5

    5

    AES192

    MD5

    14

    AES192

    SHA1

    1

    AES192

    SHA1

    2

    AES192

    SHA1

    5

    AES192

    SHA1

    14

    AES192

    SHA2-256

    1

    AES192

    SHA2-256

    2

    AES192

    SHA2-256

    5

    AES192

    SHA2-256

    14

    AES192

    SHA2-384

    1

    AES192

    SHA2-384

    2

    AES192

    SHA2-384

    5

    AES192

    SHA2-384

    14

    AES192

    SHA2-512

    1

    AES192

    SHA2-512

    2

    AES192

    SHA2-512

    5

    AES192

    SHA2-512

    14

    AES256

    MD5

    1

    AES256

    MD5

    2

    AES256

    MD5

    5

    AES256

    MD5

    14

    AES256

    SHA1

    1

    AES256

    SHA1

    2

    AES256

    SHA1

    5

    AES256

    SHA1

    14

    AES256

    SHA2-256

    1

    AES256

    SHA2-256

    2

    AES256

    SHA2-256

    5

    AES256

    SHA2-256

    14

    AES256

    SHA2-384

    1

    AES256

    SHA2-384

    2

    AES256

    SHA2-384

    5

    AES256

    SHA2-384

    14

    AES256

    SHA2-512

    1

    AES256

    SHA2-512

    2

    AES256

    SHA2-512

    5

    AES256

    SHA2-512

    14

  • In reply to floppyraid:

    Wow!  Did support agree to escalate this?