Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
Outage on MySophos and Partner Portal. You may contact Sophos Support through Phone.
We'd love to hear about it! Click here to go to the product suggestion community
UTM 9.5 introduced the ability to set the TLS version on a per-VWS basis.
This was a much needed feature that allowed us to increase the TLS version setting for Virtual Web Servers that we wanted to run a higher version, whilst allowing us to continue to run some VWS at a lower level, where clients would not work properly work at the highest version.
It appears that this has been removed in 9.506, being replaced by a global setting on the Advanced tab under the WAF area in Webadmin.
I have now had to change the setting for ALL my VWS to TLS 1.0 so that the few systems that require us to use the less secure 1.0 can continue to operate, weakening the security stance of all the VWS I had previously operating at version 1.2.
This is obviously not good.
Have I completely missed something in the release notes explaining this change? Or has Sophos pulled this feature without a mention?
The only thing in the release notes that even seems related is 'NUTM-8806 [WAF] Issue with TLS settings for virtual webserver'
Confused me too :-)
Like you said, look under "Advanced" :
I cannot think of sites using lower than 1.2, so for me it's not a problem, but I surely understand some can have assues, though they may be few.
In reply to twister5800:
Is there anything new on this issue? There are no notes on the release notes for 9.508.
The ability to configure the tls-version per vws is an important feature.
In reply to BenediktWehr:
I checked at Ideas, Benedikt, and there is no such feature request, so you might want to make one and post a link to it here in this thread. I checked the structure of a Virtual Server object at the command line with cc get_object and confirmed that there is no option that could be changed in it to select a different TLS version.
Cheers - Bob
In reply to BAlfson: