How to disable TLSv1 on Sophos UTM9 WAF for PCI

As freaking annoying as it is that the Sophos UTM, a security appliance, doesn't pass a PCI compliance scan, what's worse is that the process for disabling TLSv1 for sites running behind the Sophos WAF is not documented anywhere currently that I can find.

So, in an effort to help the community at large, I decided to docuemnet how I fixed it.

First, I was able to find excellent docuemnetation by a community member on how to disable TLSv1 for the Sophos Admin interface:

This is helpful, but I also needed to know how to disable TLSv1 for sites that run behind the Sophos WAF.

After (a lot) of digging, I found that the sites running behind the Sophos WAF do so through the Sophos Service "reverseproxy". This is the service we need to edit to remove TLSv1 support.

The above documentation talks about hwo to go about logging into the command line on a Sophos UTM9, so I won't repeat it. Once you're logged in, you'll need to run the following commands:

sudo vim /var/storage/chroot-reverseproxy/usr/apache/conf/httpd.conf

Update these to lines:

#SSLProtocol all -SSLv2 -SSLv3

to this

SSLProtocol +TLSv1.1 +TLSv1.2

The restart the 'reverseproxy" service with the following command:

sudo /var/mdw/scripts/reverseproxy restart

Check that you can no longer acccess your site using TLSv1 with the following command (updating it with your own domain name):

openssl s_client -connect -tls1

You'll get a handshake failed error if TLSv1 has been properly disabled:

SSL handshake has read 0 bytes and written 0 bytes

How to create an elliptical shadow in GIMP

For a new project, I wanted to create a shadow on an icon I was creating in order to give it some depth. I couldn't find any good visual tutorials on how to do this in GIMP, which usually means I'm not using the right keywords, but I was able to find a forum post: Creating an Elliptical Vignette in GIMP.

Following the posters steps exactly didn't get me what I wanted, but modifying his steps slightly, I was able to do what I wanted, so I figured I'm write down what I deduced from his process and include some screen shots in an effort to help anyone else who wanted to do something like this.

Step 1: Prep Your Image

I prepared my icon for a shadow by increasing the cancas space a bit so that there was room for the shadow below the icon itself. The result was as follows:

Step 2: Ellipse Select

Next I selected an area beneith the image where my shadow was going to go.

Step 3: Feather the Selection

Next we're going to feather our selection. This is what will give us the gradiant. To feather your selection, you have to use your menu, and go to Select -> Feather. Gimp will prompt you for how many pixels you want to feather, I went with 25. Your visual for your elliptical selection will go away when you feather it, but don't worry, it's still there.

Step 4: Fill with FG Color

Last, you'll want to fill with the color you want to use as your shadow. I just went with black, and set black as my foreground color. From there, we go again to the menu, and go to Edit -> Fill with FG Color. You can repeat the fill if you want your shadow to grow darker. I had to do a fill 3 times before I got the following result:

Hope this helps!

Steam won't start on Ubuntu 16.04 LTS 64-bit with AMD GPU

Steam on Ubuntu 16.04

I run two PC's with AMD GPU's and with the release of Ubuntu 16.04 LTS, I have been unable to run steam using the default grpahics drivers that come with steam. Clicking the steam icon, just made it flash for a little bit, but steam never started. To get more detail, I tried running steam from the command-line, and I got the following error message:

jordan@jordan-H8DI3:~$ steam
Running Steam on ubuntu 16.04 64-bit
STEAM_RUNTIME is enabled automatically
grep: symbol lookup error: grep: undefined symbol: pcre_jit_stack_alloc
/bin/bash: /home/jordan/.local/share/Steam/ubuntu12_32/steam-runtime/amd64/lib/x86_64-linux-gnu/ no version information available (required by /bin/bash)
grep: symbol lookup error: grep: undefined symbol: pcre_jit_stack_alloc
grep: symbol lookup error: grep: undefined symbol: pcre_jit_stack_alloc
awk: /home/jordan/.local/share/Steam/ubuntu12_32/steam-runtime/amd64/lib/x86_64-linux-gnu/ no version information available (required by /lib/x86_64-linux-gnu/
Installing breakpad exception handler for appid(steam)/version(1468023329)
libGL error: unable to load driver:
libGL error: driver pointer missing
libGL error: failed to load driver: radeonsi
libGL error: unable to load driver:
libGL error: failed to load driver: swrast

I had to hit CTRL+C in order to get out of it. After some research, I was able to get steam running with the following command:

LD_PRELOAD='/usr/$LIB/' DISPLAY=:0 steam

I haven't tried a lot of games through steam after starting this way, but the ones that I did try have run just fine... so far.

How to fix Lucee 'Handler "BonCode-Tomcat-CFM-Handler" has a bad module "ManagedPipelineHandler" in its module list' Error.

Handler "BonCode-Tomcat-CFM-Handler" has a bad module "ManagedPipelineHandler" in its module listFor whatever reason IIS likes to set the default version of .NET on some versions of IIS to 2.0. This is generally rediculous since 4.0 has been around for some time and even when 4.0 is installed and working, MS will default to 2.0.

If you install Lucee server on to your windows server and get this error, there are several possible causes:

1) You need to use a more recent version of .NET for your application pool. The fix is to adjust your .NET application pool version to 4.0 (or above) for that site, then restart the pool. Once you do that, your Lucee install should work perfectly.

IIS Application Pool Switch from 2.0 to 4.0

2) You need to ensure that you have .NET Extensibility turned on in your IIS Install. In windows 7, this is what the window looks like:

Enable .NET Extensibility

3) You have a .NET version cconflict. You'll need to remove all versions of .NET from your machine and re-install Lucee to let the installer handle installing .NET.

Hope this helps!

mod_cfml 1.1 is released! Fast, reliable, and new features!

For those of you familiar with the mod_cfml project, you know it consists of two separate sections: The web server adapter that provides information about the web site being served, and the Tomcat valve, which takes that information and automatically processes it within Tomcat - creating a new host, alias, etc as needed within Tomcat so that Tomcat will match the information coming from the web server. Both the web server adapter and the Tomcat valve have been greatly enhanced in version mod_cfml version 1.1.

New features in The Tomcat valve:

  • Speed: the process of creating a new host in Tomcat has been greatly reduced and has taken less than a second in all our tests - down from several seconds in previous versions of mod_cfml. Jar scanning is disabled by default.
  • Speed: the process of "waiting for context files" has been completely removed as it is no longer necessary.
  • Speed and memory footprint: only one Tomcat “Host container” is created per Apache/IIS virtualhost/context. All aliases / default site hosts / IP-based hosts, are now added as aliases. The process of creating a new alias is lightning fast.
  • Bugfix: Thread safety errors have been corrected, and hosts are now created reliably in every event.


Next, for the web server adapter, for Apache 2.4 the web server adapter has been completely re-written in C! This means that any system can run mod_cfml natively without the need for mod_perl. The mod_perl version of mod_cfml will still be available for Apache 2.2, but will no longer be maintained. With Apache 2.4 and a native C-module, mod_cfml can run natively on any system with extreme speed and only a few lines of config!

The new also includes the following enhancements:

  • Feature: SES URL support is now handled automatically using path_into. Previously, URLs like /some/page.cfm/id/123 would not work out of the box with Tomcat. With mod_cfml 1.1, now they do! This feature is supported in Lucee, OpenBD, and Railo.
  • Security: A shared secret key implementation has been added to prevent unauthorized context creation.
  • Feature: Virtual directories, or “Aliases” in Apache, are now passed by default from the file and handled automatically by Lucee for the current request. Check the documentation for more details on this.


Documenation for mod_cfml 1.1 is HERE.

Installation instructions for mod_cfml 1.1 is HERE.


Huge "Thank you!" to Paul Klinkenberg and Bilal Soylu for their amazing dedication to this project. You two are awesome!


So... what are you waiting for? Install! Upgrade! Stay secure and have fun with CFML!