Here in this article we will describe how to disable some weak cipher suites in sophos UTM firewall for web server protection. First we need to identify weak cipher suites in sophos UTM, you can use SSL Labs official website. Here in the link for SSL LABS test: “https://www.ssllabs.com/ssltest/”
After performing SSL LABS test, we observed some weak cipher suites as shown in the below image
Now let us understand how to disable weak cipher suites in sophos UTM. Before making any changes in the UTM firewall, please take back up of the UTM firewall.
We need to modify this file to disable the weak cipher suites: “/var/storage/chroot-reverseproxy/usr/apache/conf/httpd.conf”
Changes in the file will be survived even after WAF config changes, WAF restart and firmware upgrade.
These changes will not be survived after firewall upgrade and firewall reimage.
In case if you make the changes in “httpd.conf” file and you want to change the “TLS settings under Web protection > Web Application Firewall > Advanced > TLS settings”, then it won’t be applied as we have added a line in the “httpd.conf”. To make this change work, you need to “Delete the added Line” and restart the reverse proxy and then the changes will come into effect.
Once the changes came into effect you can re-add the line and restart the config file.
Steps To Follow:
- Execute the below command : “sed -i -e “\$aSSLCipherSuite ECDH+AESGCM:DH+AESGCM:\!aNULL:\!MD5:\!DSS” /var/storage/chroot-reverseproxy/usr/apache/conf/httpd.conf“
- Confirm the above line is properly added at the end of the file: “vi /var/storage/chroot-reverseproxy/usr/apache/conf/httpd.conf“
- Then restart the WAF service using this below command “/var/mdw/scripts/reverseproxy restart” (This will disconnect all ongoing sessions and need to reconnect by each user)
After making these changes, you can test firewall again with SSL LABS website and confirm whether they were removed successfully.
In case if you want to delete the added line, you can use the below command “sed -i ‘/^SSLCipherSuite/d’ /var/storage/chroot-reverseproxy/usr/apache/conf/httpd.conf“
Once executed, confirm it by accessing this file again “vi /var/storage/chroot-reverseproxy/usr/apache/conf/httpd.conf“
Then restart the WAF service and confirm all good
Note: I will suggest you to perform the above changes by someone who is having good handson on linux operating system.
Hope this article helps you.