Tag Archives: SSL

Sophos XG Firewall PCI Compliance Woes

Recently I deployed a Sophos XG firewall to replace my very much aging Microsoft Forefront TMG 2010 firewalls. For the most part, after lots of back and forth with Sophos tech support, I got it working correctly for things like Outlook Anywhere, Web and Mobile Access, protecting internal websites, and general web filtering. Everything seemed fine until our monthly PCI compliance scans came along and we failed miserably. TLS 1.0 was enable, HTTP Track/Trace was enabled, and 64 bit cyphers were enabled for each external IP that we were hosting a site on. I contacted Sophos and long story short there is currently no way to fix these through the UI (v16)….all required manually editing the appache httpd file on the box. So here is how to do it.

First telnet into your XG, log in, then go to 5 Device Management then 3 Advance Shell. Type in the following:

# mount -no remount,rw /
# vi /usr/apache/conf/httpd.conf

You should now be able to edit the file. Press “I” once to enter insert mode. Find the SSLCipherSuite line and remove any sections (between the colons) that have 3DES in them. For example the original cypher line:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS

Modified cypher line:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

Now find the SSLProtocol list, usually right below the cyphers and remove support for whichever protocol by adding it with a minus. Here is the original line:

SSLProtocol all -SSLv2 -SSLv3

Modified protocols line:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Lastly for the tracking add a new line under these:

TraceEnable off

Hit ESC then :w and enter to write the file then :q and enter to quit. Then restart the services and mark things what I’m assuming is read only:

# service apache:restart -ds nosync
# service WAF:restart -ds nosync
# mount -no remount,ro /

Keep in mind any Outlook 2010 clients you have in the field might try to connect using TLS 1.0 and will fail with a cryptic proxy server error. You can follow this site to hopefully fix that: https://blogs.technet.microsoft.com/schrimsher/2016/07/08/enabling-tls-1-1-and-1-2-in-outlook-on-windows-7/

Adding a SSL Certificate to a Vykon AX Web Supervisor

https://encrypted-tbn3.gstatic.com/images?q=tbn:ANd9GcQziKwbi7GguEuqEdyf-zXwY7wcYsKgKJZhO6SxUhQGsfAxK8RR_Q

A couple years ago I helps setup a SSL certificate for a AX Supervisor, a product that is used as a web interface front end to a automation product called a JACE, usually.  The software was installed on a Microsoft Server 2008 R2 system and was serving up the information through a B2B VPN and the other company, even though the traffic was “internal”, requested a SSL.  No biggie I thought, I’ve installed SSLs many times.  So I installed the certificate on the server but the AX software didn’t see it.  I went into the software’s platform and into the Certificate Management section to import a certificate.  It only accepted pem files so I converted my Windows certificate over but it didn’t like that either.  So I started reading the only guide I could find on the subject titled “NiagaraAX SSL Connectivity Guide”.  Ironically it has page after page of how a SSL works and how to generate a self signed certificate then export it out and import it onto all of the computers accessing the system but nothing on importing a existing certificate as a pem file.  Long story short the way a AX Supervisor wants the pem is to have it include the key, the certificate, the intermediate certificate, and the root certificate in that order all in one file.  So for the 9 people in the universe that will actually need to do this sometime in their life and can’t figure it out here is what I had to do.

First I downloaded the Windows 32 bit binaries of OpenSSL ( from https://slproweb.com/products/Win32OpenSSL.html ) and installed them.  I copied my pfx file that I exported out of my server (with key/password) and put it in the same directory as openssl.exe (the bin folder usually).  I opened up a command prompt, navigated to the bin directory, and ran the first command to get my private key:

openssl pkcs12 -in CertExport.pfx -nocerts -nodes -out key.pem

Then another command to export out my certificate:

openssl pkcs12 -in CertExport.pfx -nokeys -out cert.pem

I now needed my intermediate and root certificates which since I was using GoDaddy were downloadable from their site ( https://certs.godaddy.com/repository ).  I imagine its the same for any other certificate authority.  I created a new text file and first took the contents of the key.pem file (minus the headers keeping the begin and end tags) then followed it with the contents of my cert.pem file (again no headers) then, and this is important, followed those with the intermediate then the root.  I saved this as MYFullCert.pem and that imported right in without a issue. I was then able to use that for both the Platform SSL certificate and for the Stations WebService certificate.  Rebooted the server and everything looked good.

Note: This applies to a AX 3.7. I have found the certificate will not import into 3.8 using the same instructions. What does work however is importing it into 3.7 then exporting it out. The exported file appears to have a extra line added which does work on 3.8.