9.506 is released.
Maybe we could use this thread for reporting successful updated system and maybe not so many bugs. Who wants to be first to update? :-)
This thread was automatically locked due to age.
9.506 is released.
Maybe we could use this thread for reporting successful updated system and maybe not so many bugs. Who wants to be first to update? :-)
Updated HA-Cluster (SG230), no issues till now. Using proxy standard mode with AD, some IPSEC, REDs, mail protection.
-
WAF is broken for me.
It affects Windows 7 clients using Outlook 2010 connecting to Exchange 2010.
Other combinations like Windows 10, or Outlook 2013 work fine.
TLS 1 is required somewhere in this chain.
9.505-4 added a TLS Verion dropdown that allowed you to pick you Min. TLS level. 9.506-2 removed the option. I have an open support ticket, do not have a work around yet.
I was sent this as a workaround:
It doesn't seem to apply since the lines Sophos references to change no longer exist in the file. |
Hope this helps,
Ron
Latest Update from Sophos Support.
If I understood correctly.
TLS 1 support has been removed.
After you do: cc set reverse_proxy min_tls 1
Check the result with: grep SSLProtocol /var/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf
Now is WAF still "broken" for that one situation?
Note that this probably is not supported and that you should upgrade your software to eliminate its dependence on TLSv1. After upgrading, use the trick above to set the value back to 1.1.
Cheers - Bob
TLS 1.0 and TLS 1.1 are no longer considered safe encryption technologies, so this should not be a surprise. However, the change should have been in the release notes. I have complained about this before.
I infer that your problem is on the client side, since you said the problem only affects Windows 7. Windows 7 shipped with TLS 1.0 installed but not enabled, for reasons that defy explanation. You can turn it on by GPO or manually within Internet Options.
Reconfiguring your clients is a better idea than decreasing UTM security, but you can probably re-enable TLS 1.0 and TLS 1.1 by editing this file:
/var/chroot-reverseproxy/usr/apache/conf/httpd.conf
Change this line:
SSLProtocol +TLSv1.2
to
SSLProtocol +TLSv1.0 +TLSv1.1 +TLSv1.2
Note1: Never enable TLS1.0 without also enabling TLS1.1 The session compatibility search functions do not like gaps in the search sequence.
Note 2: I also recollect that Exchange 2010 had a problem with SMTP supporting nothing higher than TLS 1.0, but I believe it was corrected in one of the Exchange cumulative updates, because my configuration is connecting with TLS 1.2.
Doug, if you look at my last post above, you'll see that this line is no longer in httpd.conf, but in reverseproxy.conf. Unfortunately, that gets rewritten too often. Also, if min_tls is 1.1 as Ron says, that line will look like SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 after the cc set I mentioned.
That said, I admit that I didn't read his post closely enough to had your insight about the client. I bet that's the best solution.
Cheers - Bob
Bob,
You are my HERO today!
My clients are connecting again.
Now maybe after a couple of hours outage, I can get them to get their software upgraded...
The main issue is I told them they had until April 2018 to fix this as that is the PCI compliance deadline for TLS 1.
I didn't comprehend this line in the change log:
Fix [NUTM-8806]: [WAF] Issue with TLS settings for virtual webserver
Meant removal of TLS 1...
Thanks,
Ron