Disable TLS 1.1 and weak ciphers for TLS 1.2

Sorry for the long post...

Long story short, I have an group scanning the external side of my firebox for security auditing from our corporate organization. This post is in regard to the default webserver page enabled with the SSL VPN.

I'm getting negative marks for:
"This server supports TLS 1.1."

And for using these ciphers:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp384r1 (eq. 7680 bits RSA) FS
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp384r1 (eq. 7680 bits RSA) FS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits FS
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS

I do have an active support case regarding this but desire to learn more about how this works.

I'm told by Watchguard: TLS functionality and ciphers used seem to be set via the CA
I'm told by the person who issues our certificates: This functionality should be modified at the web server

How should this be resolved. I do not know how certificates work as I've only recently been brought into a role where that knowledge is relevant. I'm also finding that the whole IT Security topic is so vast that I may never comprehend everything.

The cert is valid and was generated by digicert with a CSR from OpenSSL as recomended by watchguard with commands specific to our organization (Per the person who generated the certificate).

Posting this now and hope to revisit sometime tomorrow or over the weekend but will be traveling. I'd love nothing more than to have some truly educational responses when I get back to it though.

Comments

  • RalphRalph WatchGuard Representative

    Hello Bmax,

    Your certificate person is correct. Ciphers and all encryption is controlled by the web server.

    Could I get you to provide your support case number then attach a copy of the scan results to it ?

    thank you

  • Case #: 01330623
    There's a full report attached as well.

    Thank you.

  • RalphRalph WatchGuard Representative

    Thanks. Clients and servers will always negotiate with the strongest available TLS version and ciphers as indicated in your simulated results. You should not be losing security points for simply supporting non-deprecated TLS versions or non-preferred ciphers.

    I've escalated your support case. A Support Engineer will reach out to you once the case has been reviewed.

  • "I'm also finding that the whole IT Security topic is so vast that I may never comprehend everything." Oh, you could not be more correct! It can be utterly overwhelming.

    What Firebox and Fireware are you running?

    If you are post 11.5.x, have you regenerated all the self-signed certs on the box so that they are all SHA256 and not SHA1?

    What are your results if you use https://www.ssllabs.com/ssltest/analyze.html to test (be sure to check the box not to show your results on the boards)?

    Interesting. I got curious and ran my own T35 running 12.5.2 Update 1 against that site and got "This server supports TLS 1.1. Grade will be capped to B from January 2020." Dang you! Now I have to check my own systems!

    Gregg Hill

  • The response to my support case came back that these are active feature requests to disable tls 1.1 and select ciphers.

    Hopefully it'll be possible eventually.
  • Great. Thank you for the update.

    Gregg Hill

  • I've had this logged as a request since October 2019, still not fixed and from 1st August security ratings will be downgraded as a a result, it'a all very well saying " Clients and servers will always negotiate with the strongest available TLS version and ciphers as indicated in your simulated results. You should not be losing security points for simply supporting non-deprecated TLS versions or non-preferred ciphers."

    But this is actualy what is going to happen so please Watchguard get this fixed urgently or you will find customers leaving you.

  • This site https://www.ssllabs.com/ssltest/analyze.html flags my T20 as a B grade due to TLS 1.1 and weak ciphers. I have one client who gets the same grade and gets a warning every time she has a PCI scan done.

    Gregg Hill

  • Any updates on this?

  • @MS01

    I just checked https://www.ssllabs.com/ssltest/analyze.html again and I now get a A" rating for my T20-W running 12.6.2 firmware. It shows it only supporting TLS 1.2 and 1.3, but still shows some weak ciphers for TLS 1.2.

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 128
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 128
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS WEAK 128
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS WEAK 128
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS WEAK 256
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits FS WEAK 256

    Gregg Hill

Sign In to comment.