Disable TLS 1.0 on Web Application Firewall

RE: Disable TLS 1.0 on Web Application Firewall

BAlfson — Mon, 13 Mar 2017 16:09:31 GMT

Hard to get too excited before I even get invited to the closed beta. [;)]

Cheers - Bob

RE: Disable TLS 1.0 on Web Application Firewall

ewadie — Fri, 10 Mar 2017 10:10:42 GMT

UTM 9.5 coming soon

Web Application Firewall:

WAF TLS version allows the option to specify the required TLS version required for a virtual server, which enables PCI compliance by excluding TLS1.0

So I suggest you get excited about UTM 9.5 ;-)

RE: Disable TLS 1.0 on Web Application Firewall

sachingurung — Fri, 10 Mar 2017 10:06:26 GMT

I am editing my previous suggestion as per a latest update.

RE: Disable TLS 1.0 on Web Application Firewall

NickT — Fri, 10 Mar 2017 08:17:56 GMT

The firewall is running 9.411 and is still getting dinged for TLS 1.0. I am able to confirm this by running the following NMAPcommand.

nmap --script ssl-enum-ciphers host.domain.com

It shows that it is able to establish a connection using TLS 1.0. If I turn off the WAF and use a DNAT, NMAP is not able to establish a connection with TLS 1.0.

RE: Disable TLS 1.0 on Web Application Firewall

sachingurung — Fri, 10 Mar 2017 04:34:08 GMT

Hi NickTria,

We have disabled the TLS1.0 from v9.5 and this will be covered under NUTM-5056. It will be then possible to configure the minimal TLS version that is allowed for connections to WAF. I think there will be a GUI option to configure the TLS version use.

Thanks

RE: Disable TLS 1.0 on Web Application Firewall

Vels — Fri, 10 Mar 2017 02:01:46 GMT

Hi,

This has had a lot of attention the past 1-2 years and I actually thought it should have been disabled from version 9.4.

Except for the CLI method, only way I can think of is to DNAT instead (as you already fixed the Exchange IIS), until this is officially fixed.

However, you can disable it in the CLI - but it will likely void your warranty if you are a paying customer, in that case you are likely better of having support do it for you.

There is a guide for the WAF here also with a reference to another blog for webadmin etc : http://utdream.org/post.cfm/how-to-disable-tlsv1-on-sophos-utm9-waf-for-pci

> QUOTE <

After (a lot) of digging, I found that the sites running behind the Sophos WAF do so through the Sophos Service "reverseproxy". This is the service we need to edit to remove TLSv1 support.

The above documentation talks about hwo to go about logging into the command line on a Sophos UTM9, so I won't repeat it. Once you're logged in, you'll need to run the following commands:

sudo vim /var/storage/chroot-reverseproxy/usr/apache/conf/httpd.conf

Update these to lines:

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS
#SSLProtocol all -SSLv2 -SSLv3

to this

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AES:!ADH:!AECDH:!MD5:!DSS:!3DES
SSLProtocol +TLSv1.1 +TLSv1.2

The restart the 'reverseproxy" service with the following command:

sudo /var/mdw/scripts/reverseproxy restart

Check that you can no longer acccess your site using TLSv1 with the following command (updating it with your own domain name):

openssl s_client -connect utdream.org:443 -tls1

You'll get a handshake failed error if TLSv1 has been properly disabled:

SSL handshake has read 0 bytes and written 0 bytes

>/QUOTE<