Disable TLS 1.1 and weak ciphers for TLS 1.2

Sorry for the long post...

Long story short, I have an group scanning the external side of my firebox for security auditing from our corporate organization. This post is in regard to the default webserver page enabled with the SSL VPN.

I'm getting negative marks for:
"This server supports TLS 1.1."

And for using these ciphers:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp384r1 (eq. 7680 bits RSA) FS
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp384r1 (eq. 7680 bits RSA) FS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits FS
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS

I do have an active support case regarding this but desire to learn more about how this works.

I'm told by Watchguard: TLS functionality and ciphers used seem to be set via the CA
I'm told by the person who issues our certificates: This functionality should be modified at the web server

How should this be resolved. I do not know how certificates work as I've only recently been brought into a role where that knowledge is relevant. I'm also finding that the whole IT Security topic is so vast that I may never comprehend everything.

The cert is valid and was generated by digicert with a CSR from OpenSSL as recomended by watchguard with commands specific to our organization (Per the person who generated the certificate).

Posting this now and hope to revisit sometime tomorrow or over the weekend but will be traveling. I'd love nothing more than to have some truly educational responses when I get back to it though.


  • RalphRalph WatchGuard Representative

    Hello Bmax,

    Your certificate person is correct. Ciphers and all encryption is controlled by the web server.

    Could I get you to provide your support case number then attach a copy of the scan results to it ?

    thank you

  • Case #: 01330623
    There's a full report attached as well.

    Thank you.

  • RalphRalph WatchGuard Representative

    Thanks. Clients and servers will always negotiate with the strongest available TLS version and ciphers as indicated in your simulated results. You should not be losing security points for simply supporting non-deprecated TLS versions or non-preferred ciphers.

    I've escalated your support case. A Support Engineer will reach out to you once the case has been reviewed.

  • "I'm also finding that the whole IT Security topic is so vast that I may never comprehend everything." Oh, you could not be more correct! It can be utterly overwhelming.

    What Firebox and Fireware are you running?

    If you are post 11.5.x, have you regenerated all the self-signed certs on the box so that they are all SHA256 and not SHA1?

    What are your results if you use https://www.ssllabs.com/ssltest/analyze.html to test (be sure to check the box not to show your results on the boards)?

    Interesting. I got curious and ran my own T35 running 12.5.2 Update 1 against that site and got "This server supports TLS 1.1. Grade will be capped to B from January 2020." Dang you! Now I have to check my own systems!

    Gregg Hill

  • The response to my support case came back that these are active feature requests to disable tls 1.1 and select ciphers.

    Hopefully it'll be possible eventually.
  • Great. Thank you for the update.

    Gregg Hill

Sign In to comment.