This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL certificate is not valid

Hi All,

I have had a security scan performed on the outside of our utm and one of the results displays the following message:
Synopsis The remote web server uses an old version of SSL.
Description The remote service accepts connections encrypted using SSL 3.0 which is obsolete and lacks key features. It is safe to disable it, because all modern clients support newer versions.
Solution Disable SSL 3.0 support and use TLS 1.2 instead or TLS 1.1 where 1.2 is not available.
Findings The remote host supports connections using SSL 3.0 protocol.
Port 3400/TCP
Tags
SSL
 
Synopsis The remote service supports the RC4 cipher suites.
Description [CVE-2013-2566] The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. [CVE-2015-2808] The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the 'Bar Mitzvah' issue. Show less
Solution Disable RC4 cipher suites in the service's configuration. Migration to TLS1.2 and AES-GCM cipher suites is highly recommended.
Findings RC4 cipher suites supported.
Port 3400/TCP
Tags
SSL
TLS
 
Synopsis The remote service supports the RC4 cipher suites.
Description [CVE-2013-2566] The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. [CVE-2015-2808] The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the 'Bar Mitzvah' issue. Show less
Solution Disable RC4 cipher suites in the service's configuration. Migration to TLS1.2 and AES-GCM cipher suites is highly recommended.
Findings RC4 cipher suites supported.
Port 3400/TCP
Tags
SSL
TLS
Can someone tell me how to adjust this in the utm?
 


This thread was automatically locked due to age.
Parents Reply
  • Hoi Panadero and welcome to the UTM Community!

    That was a great recollection by Duncan!  Rather than use cc interactively as the article suggests, I would use a command:

    cc set red tls_1_2_only 1

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data