This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF - VWS - TLS version setting removed from UTM 9.506

UTM 9.5 introduced the ability to set the TLS version on a per-VWS basis.

This was a much needed feature that allowed us to increase the TLS version setting for Virtual Web Servers that we wanted to run a higher version, whilst allowing us to continue to run some VWS at a lower level, where clients would not work properly work at the highest version.

It appears that this has been removed in 9.506, being replaced by a global setting on the Advanced tab under the WAF area in Webadmin.

I have now had to change the setting for ALL my VWS to TLS 1.0 so that the few systems that require us to use the less secure 1.0 can continue to operate, weakening the security stance of all the VWS I had previously operating at version 1.2.

This is obviously not good.

Have I completely missed something in the release notes explaining this change? Or has Sophos pulled this feature without a mention?

The only thing in the release notes that even seems related is 'NUTM-8806 [WAF] Issue with TLS settings for virtual webserver' 



This thread was automatically locked due to age.
Parents
  • Confused me too :-)

     

    Like you said, look under "Advanced" :

     

    :-)

     

    I cannot think of sites using lower than 1.2, so for me it's not a problem, but I surely understand some can have assues, though they may be few.

    ----

    Best regards Martin ;-)

    Sophos UTM Certified Engineer v9.7
    Sophos  XG  Certified Architect v18.0
    Homelab: 2 x SG210 XG v18 (HA A/P) - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)

  • Is there anything new on this issue? There are no notes on the release notes for 9.508.

    The ability to configure the tls-version per vws is an important feature. 

  • I checked at Ideas, Benedikt, and there is no such feature request, so you might want to make one and post a link to it here in this thread.  I checked the structure of a Virtual Server object at the command line with cc get_object and confirmed that there is no option that could be changed in it to select a different TLS version.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I checked at Ideas, Benedikt, and there is no such feature request, so you might want to make one and post a link to it here in this thread.  I checked the structure of a Virtual Server object at the command line with cc get_object and confirmed that there is no option that could be changed in it to select a different TLS version.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children