Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

SWEET 32 Vulnerability

shwazhshwazh Newbie ✭
in SSL VPN

Hi All,

I have configured SSL VPN and our information security team has informed us that 3DES cipher is being configured on the port 4433 which is used for SSL VPN and we have tried to disable the same through all the possible methods like blocking from cipher control using AES in the VPN configuration, but still the same is coming.

Below mentioned ciphers is being shown that it is configured:

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)

Any solution how can we disable these ciphers.

Category: SSL VPN
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @shwazh what Firmware version you're running on your Firewall?

    —Michael@BWC

  • shwazhshwazh Newbie ✭

    @BWC

    Firmware that we have is SonicOS Enhanced 6.5.4.15-116n.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hopefully I'am not mistaken, but I believe Cipher Control does not affect SSL-VPN, only DPI-SSL, SSL Control and Management.

    I checked on a 6.5.4.15 deployment and 3DES wasn't returned for me.

    | ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

    I checked with "nmap --script ssl-enum-ciphers -p 4433 firewall-ip".

    "Enable TLS compatible mode" on the internal settings is not enabled and TLS 1.1 is disabled.

    —Michael@BWC

  • shwazhshwazh Newbie ✭

    Hi @BWC,

    We have crossed check this is our output from nmap

    image.png

    Also can you share the path through which we can do the following settings.

    "Enable TLS compatible mode" on the internal settings is not enabled and TLS 1.1 is disabled."

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited January 2

    I totally overlooked your firmware version, there is a 6.5.4.15-117n available, IMHO with SSL-VPN related fixes, sorry for that.

    I enabled "Enforce TLS 1.1 and Above" at Manage → System Setup → Appliance → Base Setup.

    On the internal settings page (replace main.html with diag.html in the address bar) I left "Enable TLS compatible mode" unticked and " Disable TLSv1_1" ticked.

    Also on the internal settings page I have "SSL Version: TLSv1.2" and "Cipher Methods: Secure Ciphers" selected, but these settings are DPI-SSL related, should not be related to SSL-VPN.

    —Michael@BWC

  • shwazhshwazh Newbie ✭

    Hi @BWC,

    I have done the same but still the 3DES ciphers is still showing in the nmap output.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @shwazh did you updated to 6.5.4.15-117n (you had -116n)? This might be the difference.

    —Michael@BWC

  • shwazhshwazh Newbie ✭

    Thanks for the help @BWC

    On the internal settings page (replace main.html with diag.html in the address bar) I left "Enable TLS compatible mode" unticked and " Disable TLSv1_1" ticked.

    This worked with a restart.

Sign In or Register to comment.