UTM Up2Date 9.506 Released

TLS 1.0 and TLS 1.1 are no longer considered safe encryption technologies, so this should not be a surprise.   However, the change should have been in the release notes.   I have complained about this before.

I infer that your problem is on the client side, since you said the problem only affects Windows 7.   Windows 7 shipped with TLS 1.0 installed but not enabled, for reasons that defy explanation.   You can turn it on by GPO or manually within Internet Options.

Reconfiguring your clients is a better idea than decreasing UTM security, but you can probably re-enable TLS 1.0 and TLS 1.1 by editing this file:

/var/chroot-reverseproxy/usr/apache/conf/httpd.conf

Change this line:

SSLProtocol +TLSv1.2
to
SSLProtocol +TLSv1.0 +TLSv1.1 +TLSv1.2

Note1:   Never enable TLS1.0 without also enabling TLS1.1    The session compatibility search functions do not like gaps in the search sequence.

Note 2:  I also recollect that Exchange 2010 had a problem with SMTP supporting nothing higher than TLS 1.0, but I believe it was corrected in one of the Exchange cumulative updates, because my configuration is connecting with TLS 1.2.  

Doug, if you look at my last post above, you'll see that this line is no longer in httpd.conf, but in reverseproxy.conf.  Unfortunately, that gets rewritten too often.  Also, if min_tls is 1.1 as Ron says, that line will look like SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2  after the cc set I mentioned.

That said, I admit that I didn't read his post closely enough to had your insight about the client.  I bet that's the best solution.

Cheers - Bob

I think I found the minimum TLS version setting, its been moved to the Web Application Firewall-Advanced tab.  I'm still seeing the option for TLS v1 or higher.  When I run cc get reverse_proxy min_tls it returns 1.

Thanks.   -Steve

Web proxy does not use any filter in Blocked File Extensions,  MIME filters or. Warned MIME Types

Bob,

You are my HERO today!

My clients are connecting again.

Now maybe after a couple of hours outage, I can get them to get their software upgraded...

The main issue is I told them they had until April 2018 to fix this as that is the PCI compliance deadline for TLS 1.

I didn't comprehend this line in the change log:

Fix [NUTM-8806]: [WAF] Issue with TLS settings for virtual webserver

Meant removal of TLS 1...

Thanks,

Ron

Steve,

Thanks a bunch for finding that!

Not as cool as per server, but I can live with it.

Ron

My bad.

TLS 1 is still there you just need to know what screen to access.

Advanced vs Virtual Webserver/Edit Screen.

Thanks,

Ron

I guess I was writing my reply as you were writing yours.   Thanks for the updated information.

Someone Please clarify:  WAF encryption options are supposed to be configurable from the GUI, but I thought that was only for AWS environments.   Is it actually supported for all configurations in 9.506?

After updating my ESX setup, both nodes of the HA cluster (running on different ESX hosts) come up with the same MAC adresses. The "cc ha set virtual_mac 0" works, but only acts on the HA interface, which does use the physical interface MAC.

So it broke my cluster, and my redundancy. Not amused. :-(

SMTP Proxy - authentication. Can't select AD server even though I have 4 of these listed in the UTM