This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I disable some cipher suites in Webserver Protection?

After running an SSL check for one of our sites, which is served by our UTM, it turned up that we have 3 weak ciphers being supported by the UTM:

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA _0xc012_ ECDH secp256r1 _eq. 3072 bits RSA_ FS WEAK 112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA _0x16_ DH 2048 bits FS WEAK 112
TLS_RSA_WITH_3DES_EDE_CBC_SHA _0xa_ WEAK 112

How do I disable these ciphers?



This thread was automatically locked due to age.
Parents
  • I have chased these issues, and what follows below are from my notes.  The current settings vary with the UTM release.   The new settings are suggestions, which you should be able to tailor to your preference by mimicking the examples.

    HIGH, MEDIUM, and LOW are OpenSSL keywords which correspond to a bundle of ciphers.   Only HIGH ciphers are considered acceptable anymore.

    To test the cipher results for any given keyword combination, you can use this command from the shell

    openssl ciphers keywordlist

    Except that not (like !MD5 ) commands, you need to add an escape from the shell, 

    for example: 

    openssl ciphers HIGH:\!MD5:\!SHA1

    -------------------------------------------------

     

     

    Applies to: WebAdmin, User Portal, Mail Manager, SPX Reply Portal

    cd /var/sec/chroot-httpd/etc/httpd/

    vi httpd.conf
    --- Current -----
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AES:!ADH:!AECDH:!MD5:!DSS:!3DES
    SSLProtocol +TLSv1.1 +TLSv1.2
    --- New -----
    SSLCipherSuite HIGH:!MD5:!SHA1
    SSLProtocol +TLSv1.2
    -------------

    /etc/init.d/httpd restart

    *** completed **** still have cert issue
    ==================================================================

    Applies to: WAF ReverseProxy

    cd /var/chroot-reverseproxy/usr/apache/conf/

    vi httpd.conf
    --- Current -----
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS
    SSLProtocol all -SSLv2 -SSLv3
    --- New -----
    SSLCipherSuite HIGH:!MD5:!SHA1
    SSLProtocol +TLSv1.2
    -------------

    /var/mdw/scripts/reverseproxy restart

  • Hi,

            Is this an Official/Legal way to disable weak ciphers?  I read in some other posts that If you do this you may loose your Sophos warranty.

     

    Thanks and Best Regards,
    Asif  

Reply Children
No Data