Enable Web Application Firewall support to specify cipher strengths it can accept. Either cipher-by-cipher basis or on a weak/med/strong cat
Enable Web Application Firewall support to specify cipher strengths it can accept. Either cipher-by-cipher basis or on a weak/med/strong category.
For Sophos: Case ref. [#9897773]
Similar request for change/improvement due same lack of choises in ciphersuites.
I line out of the case:
"Of course, I would rather see that Sophos follows the cipher recommendations more strict or build in a option “compatible” or “strict” like the options of TLS"
Please please please can this feature be added. It is essential for all the reasons previously mentioned. Unfortunately Sophos UTM cannot be considered suitable for Enterprise use as it lacks such a fundamental feature.
PCI compliance tests are failing due to the weak ciphers used by the WAF , have contacted support who have said i need to raise a feature request , as this has been outstanding for years its likely ill need to look for an alternative WAF
John Gjonola commented
This needs to be completed. I keep failing PCI compliance without it and it seems to reset every time something even minor changes. Please!
Phillip Hesse commented
5 years and 4 months later and we are still waiting :o(
Not impressed, especially as this is supposed to be a security company and product?
Time to move on and buy a security product that supports this I think
Victor Ferrando commented
We need this too.
Also it would be great to be able to add headers for HSTS and configure ocsp stapling
at some point it would be interesting to have the chance of supporting http/2 on the frontend and TLS.13
We need this setting (via Console or GUI) to stay after configuration change.
Choose the needed ciphers is a mandatory requirement in these days.
Testing our website with https://www.ssllabs.com/ssltest shows the following result:
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
We need this feature too.
I can only say, this feature request is more than important and technically not too hard to implement.
I can understand, that customers aren´t allowed to change this in the .conf files, but then we need too have access to it in the gui.
Please implement it that way, that one can enter the ciphers to be used.
peakwork Admins commented
We really need this feature, too for PCI compliance.
Martin B commented
nowadays it should be normal, that you can set the used ciphers. Same goes for ciphers used by smtp over tls.
Adam Wilson commented
In this day and age where SSL ciphers are being frequently broken SysAdmins need the ability to respond to threats by tuning their supported ciphers instead of waiting for Sophos to do it "Real Soon Now". The default RC4 cipher is exploitable today and we have no way to make it the non-default cipher for TLS1.2 which supports the strongly secure AES128GCM cipher.
I work with an MSP company and this is a feature that we require for our customers.
Would love that feature, since NSA more then ever. RC4 becomes exploitable in the distant future.
This is probably needed for PCI compliance, unless the weak ciphers have already been disabled.
It would still make future PCI changes easier to deal with (e.g. when BEAST was discovered, etc.)