How to disable TLSv1 on Sophos UTM9 WAF for PCI
As freaking annoying as it is that the Sophos UTM, a security appliance, doesn't pass a PCI compliance scan, what's worse is that the process for disabling TLSv1 for sites running behind the Sophos WAF is not documented anywhere currently that I can find.
So, in an effort to help the community at large, I decided to docuemnet how I fixed it.
First, I was able to find excellent docuemnetation by a community member on how to disable TLSv1 for the Sophos Admin interface:
This is helpful, but I also needed to know how to disable TLSv1 for sites that run behind the Sophos WAF.
After (a lot) of digging, I found that the sites running behind the Sophos WAF do so through the Sophos Service "reverseproxy". This is the service we need to edit to remove TLSv1 support.
The above documentation talks about hwo to go about logging into the command line on a Sophos UTM9, so I won't repeat it. Once you're logged in, you'll need to run the following commands:
sudo vim /var/storage/chroot-reverseproxy/usr/apache/conf/httpd.conf
Update these to lines:
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS #SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AES:!ADH:!AECDH:!MD5:!DSS:!3DES SSLProtocol +TLSv1.1 +TLSv1.2
The restart the 'reverseproxy" service with the following command:
sudo /var/mdw/scripts/reverseproxy restart
Check that you can no longer acccess your site using TLSv1 with the following command (updating it with your own domain name):
openssl s_client -connect utdream.org:443 -tls1
You'll get a handshake failed error if TLSv1 has been properly disabled:
SSL handshake has read 0 bytes and written 0 bytes