Sophos Ideas / SG UTM

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

← SG UTM

Remove support for TLS 1.0/Allow it to be disabled.

PCI scans that see a remote access port open to the internet fail because the appliance still supports TLS 1.0. I have to dispute this every time, and it is a real hassle.

94 votes
Sign in Sign in with: Log in with your Sophos ID
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Chris Lott shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

12 comments

Sign in Sign in with: Log in with your Sophos ID
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    Just supporting this post, I also have numerous clients that fail their PCI scans due to this. My response is for my XG users/networks.

  • Allan commented  ·   ·  Flag as inappropriate

    Using a XG here. You guys pushed out a beta firmware 16.05 RC1 and disabled TLS v1.0 but then in the actual release, v16.05 MR1 & MR2 you enabled it!

    This problem still exists, at least for WAF where I am failing PCI compliance scans because of it.

    This should be disable by default with a option through the CLI or even the UI to enable/disable as we see fit along with other cypher's.

    Coming from a TMG 2010 box I was able to easily edit the registry to turn on and off cyphers....I can't believe a product much newer doesn't have the same abilities.

  • FosterDoug commented  ·   ·  Flag as inappropriate

    For web filtering, the protocol configuration is controlled by the "SSL Protocol" line in this file: /var/sec/chroot-httpd/etc/httpd/httpd.conf. You can probably edit it to disable TLS1.0 in earlier firmware.

  • FosterDoug commented  ·   ·  Flag as inappropriate

    This is done. After updating to firmware 9.408-4, I found that TLS 1.0 is disabled for Web Filtering with HTTPS inspection enabled. I assume that the same change was made for other components, particularly WAF. If the change was announced in the release notes, I missed it. Since there are still plenty of remote webservers running with only TLS1.0 capability, the change created some challenges for our users.
    This feature request site would be less frustrating if product management would update requests like this when the change is completed, as well as merging duplicates

  • Terence commented  ·   ·  Flag as inappropriate

    This is also causing us issues with PCI scans for us. Not having fixed this for almost a year is shameful.

  • Dr.Richtofen commented  ·   ·  Flag as inappropriate

    Day 36: The experiment failed, the zombies are trying to kill us we don't now what else to do this is going out of control hopefully this will end soon! the only thing I'm worried for is my family the didn't did anything and they got killed WHY. We don't now what else to do we're really ********* if someone sees this they are watching you and everything what you do, whatever you do don't listen to them they will try to confuse you, someone enter I've to go...

  • Jesus Perez commented  ·   ·  Flag as inappropriate

    This isn't even something to vote on. How can you call anything a Security Appliance with TLS v1.0 enabled by default?

SG UTM: Appliance Hardware

Categories

Feedback and Knowledge Base

(thinking…)
icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.