Disable TLS 1.1 and weak ciphers for TLS 1.2
Sorry for the long post...
Long story short, I have an group scanning the external side of my firebox for security auditing from our corporate organization. This post is in regard to the default webserver page enabled with the SSL VPN.
I'm getting negative marks for:
"This server supports TLS 1.1."
And for using these ciphers:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp384r1 (eq. 7680 bits RSA) FS
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp384r1 (eq. 7680 bits RSA) FS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits FS
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS
I do have an active support case regarding this but desire to learn more about how this works.
I'm told by Watchguard: TLS functionality and ciphers used seem to be set via the CA
I'm told by the person who issues our certificates: This functionality should be modified at the web server
How should this be resolved. I do not know how certificates work as I've only recently been brought into a role where that knowledge is relevant. I'm also finding that the whole IT Security topic is so vast that I may never comprehend everything.
The cert is valid and was generated by digicert with a CSR from OpenSSL as recomended by watchguard with commands specific to our organization (Per the person who generated the certificate).
Posting this now and hope to revisit sometime tomorrow or over the weekend but will be traveling. I'd love nothing more than to have some truly educational responses when I get back to it though.