Remove support for TLS 1.0/Allow it to be disabled.
PCI scans that see a remote access port open to the internet fail because the appliance still supports TLS 1.0. I have to dispute this every time, and it is a real hassle.
Just supporting this post, I also have numerous clients that fail their PCI scans due to this. My response is for my XG users/networks.
Using a XG here. You guys pushed out a beta firmware 16.05 RC1 and disabled TLS v1.0 but then in the actual release, v16.05 MR1 & MR2 you enabled it!
This problem still exists, at least for WAF where I am failing PCI compliance scans because of it.
This should be disable by default with a option through the CLI or even the UI to enable/disable as we see fit along with other cypher's.
Coming from a TMG 2010 box I was able to easily edit the registry to turn on and off cyphers....I can't believe a product much newer doesn't have the same abilities.
For web filtering, the protocol configuration is controlled by the "SSL Protocol" line in this file: /var/sec/chroot-httpd/etc/httpd/httpd.conf. You can probably edit it to disable TLS1.0 in earlier firmware.
This is done. After updating to firmware 9.408-4, I found that TLS 1.0 is disabled for Web Filtering with HTTPS inspection enabled. I assume that the same change was made for other components, particularly WAF. If the change was announced in the release notes, I missed it. Since there are still plenty of remote webservers running with only TLS1.0 capability, the change created some challenges for our users.
This feature request site would be less frustrating if product management would update requests like this when the change is completed, as well as merging duplicates
We're on 9.407-3 TLS 1.0 Still enabled
SOPHOS! wake up and disallow TLS 1.0!!!
We're on 9.403-4 TLS 1.0 Still enabled
Bryan Delos Reyes commented
The Removal of Support for TLS v1.0 from Apache Configuration has been applied already on UTM 9.402
This is also causing us issues with PCI scans for us. Not having fixed this for almost a year is shameful.
Day 36: The experiment failed, the zombies are trying to kill us we don't now what else to do this is going out of control hopefully this will end soon! the only thing I'm worried for is my family the didn't did anything and they got killed WHY. We don't now what else to do we're really ********* if someone sees this they are watching you and everything what you do, whatever you do don't listen to them they will try to confuse you, someone enter I've to go...
Jesus Perez commented
This isn't even something to vote on. How can you call anything a Security Appliance with TLS v1.0 enabled by default?
Ryan Custer commented
I have the same issue with multiple customers as well.