topic TLS version in Firewall and Security Management

TLS version

lemm — Fri, 22 Nov 2024 11:27:51 GMT

Hi All,

I have disabled tls v1 and v1.1 from my firewalls , but during a recent pen test it found an issue "Insecure SSL/TLS Protocols - LOW - External".

I have used show ssl tls enabled command and can see only tls v1.2 is enabled.

Can you help with some other commands to check further or what could cause this issue to pop up during pen test ?

Chris_Atkinson — Fri, 22 Nov 2024 12:12:46 GMT

You disabled via CLI? Maybe also check sk154532 depending on the port / service reported by the scan.

AkosBakos — Fri, 22 Nov 2024 12:59:15 GMT

Hello,

To check SSL V2

openssl s_client -connect secureurl.com:443 -ssl2

To Check SSL V3

openssl s_client -connect secureurl.com:443 –ssl3

To Check TLS 1.0

openssl s_client -connect secureurl.com:443 –tls1

To Check TLS 1.1

openssl s_client -connect secureurl.com:443 –tls1_1

To Check TLS 1.2

openssl s_client -connect secureurl.com:443 –tls1_2

Check that IP which was marked as vulnerable in the report.

Akos

the_rock — Fri, 22 Nov 2024 13:02:59 GMT

Can you see what you have here in global properties in smart console?

Andy

CaseyB — Fri, 22 Nov 2024 14:24:55 GMT

You might need to disable some ciphers even though TLS 1.2 is the only thing enabled; we had something similar happen with our pen test.

We "passed" using this configuration:

AkosBakos — Fri, 22 Nov 2024 14:28:44 GMT

And you can test it, one-by-one too 🙂

openssl s_client -cipher 'ECDHE-ECDSA-AES256-SHA' -connect secureurl:443

the_rock — Fri, 22 Nov 2024 14:30:56 GMT

Just tried with google.com, super useful command!

Andy