Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 2 subscribers
  • Views 4853 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TLS connection hardening

PeterSchuster

Hello everybody,

is it possible to use the SSL/TLS inspection feature to harden encrypted connections? The main point of my questistion is: Is it possible to select cipher suites and protocol versions that are allowed to communicate with 3rd party servers outside the network? For example, am I able to prevent SSL connections with 3DES ciphers? Is there a possibility to only allow, lets say, the AES256 cipher suite?

An other questition: If I use SSL inspection and the 3rd party server presents an invalid certificate (either it is outdated or it is from an untrusted issuer), how would the user be informed? Am I able to select trusted authorities in the UTM? This would be necessary since the usage of SSL inspection does not allow the end user to use his own trust database.


Thank your very much for an answer!

Peter



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Peter, and welcome to the UTM Community!

    From the command line as root, you can see which ciphers and algorithms are allowed:

    cc get http tlsciphers_client

    There is a way to change the content of that setting, but if you have a paid license, you risk losing support.  Sophos has been very proactive in getting unsafe ciphers removed, so I question whether you really want to manage this yourself.  If it's a requirement, you should ask Sophos support to do it or to give you permission to make the change.

    One of our unwritten rules here is "one topic per thread."  Please ask your second question in a new thread - that will make it easier for people to find the answers to both questions.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Hi, Peter, and welcome to the UTM Community!

    From the command line as root, you can see which ciphers and algorithms are allowed:

    cc get http tlsciphers_client

    There is a way to change the content of that setting, but if you have a paid license, you risk losing support.  Sophos has been very proactive in getting unsafe ciphers removed, so I question whether you really want to manage this yourself.  If it's a requirement, you should ask Sophos support to do it or to give you permission to make the change.

    One of our unwritten rules here is "one topic per thread."  Please ask your second question in a new thread - that will make it easier for people to find the answers to both questions.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML