Weak Ciphers in WAF

Question

Hi all, 
 I tried to fix this with Sophos support, but as always the question was to hard. I hope you guys can help me with this. I have a UTM cluster running version 9.5.xx. I enabled the WAF option. Although the WAF is very limited in its options compared to other products, I am really missing one option. Being able to disable weak ciphers. We are a hosting party and we take security very seriously. There for we are looking to use the UTM as a loadbalancer and using all the WAF features available. All done that. No problem 
 When testing my test site against ssllabs.com I see that weak ciphers are used, and only TLS1.2 is used instead of TLS1.2 and higher. Sophos says we can't help you -goodbye-. Sorry but the product is just to expensive for an answer like that. 
 Now, I have read some articles about this on how to change the ciphers using the command line interface on the UTM. But I don't know exactly what file to modify, or what to put in it. Does anyone know how to achieve this the best way? 
 Greets, 
 Jeffrey

Jeffrey Jaspers · Accepted Answer

Hi all, 
 
 So I tested today with all version from 9.4.xx and up to 9.6.latest. I repeatedly tried to change the SSLCipherSuite. First in the httpd.conf and later in the reverseproxy.conf. That change can be made very easily and seems to be working well. BUT... indeed whenever you make ANY change in your WAF setting, or you do a fireware update, or you do a reboot your reverseproxy.conf file will change your SSLCipherSuite back to the default setting. 
 I would advise to experiment this with smaller environments where WAF settings are barely touched/changed. For myself/my company (we are a hosting party so we change the WAF a lot) we cannot use this. Yes we could change the reverseproxy.conf after every change we do. But it is too much/too dangerous work for a production environment. because you can only do it from the CLI. 
 So my message to Sophos, fix this please. For all the users which rely on you for their security. Your WAF products contains weak Ciphers which cannot be changed. 
 For now my question is answered and I want to thank you all for your help, and I really hope Sophos will hear and listen to our shout out. 
 
 My next step is to get a refund of my license and then I will need to look for a product which can provide us with a secure WAF. 
 Greets, 
 Jeffrey Jaspers