This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PCI Scan Failure - SPX TLS 1.0

We're failing our PCI scan  after enabling and allowing the port for SPX email encryption. 

 

Details: A service supporting outdated versions of TLS or SSL was detected. TLS 1.0 and SSLv3 are affected by known flaws which could allow
man-in-the-middle attacks, such as
BEAST and
POODLE.

Information From Target:
Service: [port number]:TCP
Server accepted TLS 1.0 handshake with TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA cipher

 

How do we disable these weak ciphers for SPX?

SG 330 9.311-3

 

Thanks!



This thread was automatically locked due to age.
Parents
  • Because you are jumping so many versions, your best bet is to:

    • Save your configuration to a laptop.
    • Reset to factory defaults and reinstall from the CD.
    • Restore your configuration file from the laptop.

    Configuration files are upward compatible.  This process will take about an hour, and you will have a very clean install using a minimum of disk space.   Doing it with individual updates will take forever and will require fighting disk space problems all along the way.

    I had to do this process when upgrading from 9.408 to 9.506, because one of the updates failed and left the system in an inconsistent state.   wiping out my configuration was terrifying, but the process worked very well.

    The biggest headache is that you have probably forgotten what the initial install looks like.  I found the installation web interface confusing, because it asked for network settings for 4 NICs, even though I was only planning to use two.   The repeated questions made me think my entries had been rejected.   I prefer the terminal mode interface, but had to get past the login password.   I think the terminal mode default was admin / admin

    Some of this may have changed between 9.506 and 9.605.

Reply
  • Because you are jumping so many versions, your best bet is to:

    • Save your configuration to a laptop.
    • Reset to factory defaults and reinstall from the CD.
    • Restore your configuration file from the laptop.

    Configuration files are upward compatible.  This process will take about an hour, and you will have a very clean install using a minimum of disk space.   Doing it with individual updates will take forever and will require fighting disk space problems all along the way.

    I had to do this process when upgrading from 9.408 to 9.506, because one of the updates failed and left the system in an inconsistent state.   wiping out my configuration was terrifying, but the process worked very well.

    The biggest headache is that you have probably forgotten what the initial install looks like.  I found the installation web interface confusing, because it asked for network settings for 4 NICs, even though I was only planning to use two.   The repeated questions made me think my entries had been rejected.   I prefer the terminal mode interface, but had to get past the login password.   I think the terminal mode default was admin / admin

    Some of this may have changed between 9.506 and 9.605.

Children
  • We posted about the same time, Doug, so you probably didn't see my solution which specifically avoids disk space problems.  It also retains all logs and reporting.

    I like your solution for home users and very small businesses where logs and Reporting are of little use.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA