Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 24 replies
  • Subscribers 7 subscribers
  • Views 14771 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Weak Ciphers in WAF

Jeffrey Jaspers

Hi all,

I tried to fix this with Sophos support, but as always the question was to hard. I hope you guys can help me with this. I have a UTM cluster running version 9.5.xx. I enabled the WAF option. Although the WAF is very limited in its options compared to other products, I am really missing one option. Being able to disable weak ciphers. We are a hosting party and we take security very seriously. There for we are looking to use the UTM as a loadbalancer and using all the WAF features available. All done that. No problem

When testing my test site against ssllabs.com I see that weak ciphers are used, and only TLS1.2 is used instead of TLS1.2 and higher. Sophos says we can't help you -goodbye-. Sorry but the product is just to expensive for an answer like that.

Now, I have read some articles about this on how to change the ciphers using the command line interface on the UTM. But I don't know exactly what file to modify, or what to put in it. Does anyone know how to achieve this the best way?

Greets,

Jeffrey



This thread was automatically locked due to age.
  • 0 in reply to BAlfson

    Hi Folks!

    I am going to change this in my lab device to see when these Ciphers are reset. So I'll check a change in config first, then a reboot and then an update(now that it's available). I'll post my observations here.

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    Hi JayDeep,

    Thank you for helping us out. I also voted for this to just be available in the GUI. Thanks to Bob and Douglas I know what to do. Im 100% sure we can get it to work and get it secure. But the big problem here is Sophos not supporting it. 

     

    !! It is a security problem not being fixed by a security company.

     

    Just frustrating.

  • 0 in reply to Jeffrey Jaspers

    Hello Jeffrey, I ran into exactly the same problem. Thank for sharing your insights.
    You wrote: " I know what to do. Im 100% sure we can get it to work and get it secure. "

    Are you willing to share the contents of the configuration file once you've altered and tested it?

    Thnx, Peter-Paul

     
    SFVH (SFOS 20.0.0 GA-Build222) - Last (re)boot on November 6th  2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • 0 in reply to Peter-Paul Gras

    Hi Peter-Paul,

    To bad you ran into the same problem. I hope I can test it next week. I'll have to setup a testing environment first and of course my coworkers are on vacation... So you know how it is XD. I will definitly share this, whether it works or not.

  • 0 in reply to BAlfson

    Hi,

    it's possible to override the settings in the reverseproxy.conf at the end of the httpd.conf. The settings in httpd.conf aren't overwritten by config changes or reboot.

     

    Edit /var/chroot-reverseproxy/usr/apache/conf/httpd.conf:

    After the line 'Include conf/reverseproxy.conf' you can put for example:

    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL:!MD5:!DSS

     

    Restart the reverseproxy: /var/mdw/scripts/reverseproxy restart

     

    Best,

     Sabine

  • 0 in reply to Evianne

    Hello Sabine,

    thanks for sharing, but is this supported by Sophos? Not only for home or lab use, but for a production environment? That is the important question for most here.

    At least an entry in the KB should or could deal with that.

    Best regards

    Alex

    -

  • 0

    Hi Folks,

    I think Sabine has posted a proper solution. Now in order to apply it on the UTM9, for Home devices, it should not be an issue. For licensed UTM9, it'd be better if it's discussed with the Account manager or Support first before doing these changes. I'll check if this information can be used in a Public article.

    Regarding changes I did my lab device, it was reverted with Change in the config, also with a reboot. I could not check with a firmware update but that's obvious that it will not stay persistent.

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    Hi JayDeep,

    Thank you for testing this for us. Your answer really helps me/us. I was wondering. You say the config changes back, but could we get around this using a cron job? for example, place the modified file on a location where it wouldn't be overwritten, and after every reboot replace the original file and restart the WAF service.

     

    Greets,

    Jeffrey

  • 0 in reply to Jeffrey Jaspers

    That would help after a restart. But what about the changes you do in the config? I guess it's not possible to do a cronjob for that. Sabine has suggested a proper fix which is persistent over the changes we would attempt. Would you be able to try that and see if that helps? Please post any difficulties you face.

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    JayDeep,

     

    Thank you again. I'm setting up my testing environment as we speak. I'll keep you informed.

     

    Greets,

    Jeffrey

Unfiltered HTML