Remove support for TLS 1.0/Allow it to be disabled.
PCI scans that see a remote access port open to the internet fail because the appliance still supports TLS 1.0. I have to dispute this every time, and it is a real hassle.
Chris Lott
shared this idea
16 comments
-
Anonymous
commented
Just supporting this post, I also have numerous clients that fail their PCI scans due to this. My response is for my XG users/networks.
-
Allan Dynes
commented
Using a XG here. You guys pushed out a beta firmware 16.05 RC1 and disabled TLS v1.0 but then in the actual release, v16.05 MR1 & MR2 you enabled it!
This problem still exists, at least for WAF where I am failing PCI compliance scans because of it.
This should be disable by default with a option through the CLI or even the UI to enable/disable as we see fit along with other cypher's.
Coming from a TMG 2010 box I was able to easily edit the registry to turn on and off cyphers....I can't believe a product much newer doesn't have the same abilities.
-
FosterDoug
commented
For web filtering, the protocol configuration is controlled by the "SSL Protocol" line in this file: /var/sec/chroot-httpd/etc/httpd/httpd.conf. You can probably edit it to disable TLS1.0 in earlier firmware.
-
FosterDoug
commented
This is done. After updating to firmware 9.408-4, I found that TLS 1.0 is disabled for Web Filtering with HTTPS inspection enabled. I assume that the same change was made for other components, particularly WAF. If the change was announced in the release notes, I missed it. Since there are still plenty of remote webservers running with only TLS1.0 capability, the change created some challenges for our users.
This feature request site would be less frustrating if product management would update requests like this when the change is completed, as well as merging duplicates -
Anonymous
commented
We're on 9.407-3 TLS 1.0 Still enabled
-
Anonymous
commented
SOPHOS! wake up and disallow TLS 1.0!!!
-
Harlan
commented
We're on 9.403-4 TLS 1.0 Still enabled
-
Bryan Delos Reyes
commented
Hello All,
The Removal of Support for TLS v1.0 from Apache Configuration has been applied already on UTM 9.402
-
Terence
commented
This is also causing us issues with PCI scans for us. Not having fixed this for almost a year is shameful.
-
Dr.Richtofen
commented
Day 36: The experiment failed, the zombies are trying to kill us we don't now what else to do this is going out of control hopefully this will end soon! the only thing I'm worried for is my family the didn't did anything and they got killed WHY. We don't now what else to do we're really ********* if someone sees this they are watching you and everything what you do, whatever you do don't listen to them they will try to confuse you, someone enter I've to go...
-
John
commented
I could not agree more - we fail our PCI scans too and disabling this permanently should be an option. Please Sophos, add it to the GUI and provide a permanent solution?
-
Anonymous
commented
Yeah, reverting after upgrade to allow TLS 1.0 is the frustrating. Can this setting just stick?
-
Anonymous
commented
I agree, we fail a PCI scan every time because you can't disable TLS 1.0 through the GUI. Modifying the shell every time and after every upgrade is totally unacceptable and prone to errors. I hope they add this feature soon.
-
Anonymous
commented
I agree, it would be great to have the option to disable it. We had TLS 1.0 disabled on our system via shell access, but the next time a firmware update was installed, TLS 1.0 was enabled again.
-
Jesus Perez
commented
This isn't even something to vote on. How can you call anything a Security Appliance with TLS v1.0 enabled by default?
-
Ryan Custer
commented
I have the same issue with multiple customers as well.
