In the discussion about 9.501-5, Paulo Rocada raises the issue that in version 9.501-5, WAF not longer connects to Server 2003 R2, although 9.4 worked. I assume this is related to cipher suites.
First, this points out the problems with Sophos Release Notes. They provide cryptic information about the problems that are supposed to be solved, but nothing about the possible implications for us after the changes have been made. If version 9.Next drops support for back-end servers, it should be explained and highlighted in a context that is hard to miss.
Secondly, WAF products should provide support for legacy back-end servers. Part of their appeal is their ability to upgrade encryption from the weak protocols on a legacy server to the strong protocols available on the WAF.
Third, it would be appropriate for Sophos to document what systems they have used for testing as back-end servers.
For this particular problem, I wonder if it simplify means that Sophos changed the ciphersuite alow list used for the back-end connection. In 9.4, it is specified:
- In directory: /var/storage/chroot-reverseproxy/usr/apache/conf
- In file: httpd.conf
- On these command line:
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS
SSLProtocol all -SSLv2 -SSLv3
This fragment is from my 9.4 system. It would be helpful for someone to post the equivalent cipher specification for version 9.5. I wonder if Sophos has disabled TLS1.0 protocol or AES cipher.
This thread was automatically locked due to age.
