Disable TLS v1.0/1.1 for Proxy flow in Web Isolation
search cancel

Disable TLS v1.0/1.1 for Proxy flow in Web Isolation


Article ID: 209688


Updated On:


Web Isolation


A user may want to disable TLS 1.0/1.1 as a vulnerability mitigation tactic. 


Release :Pre WAI 1.15.  This issue has been addressed in WAI 1.15.

Component :openSSL 


Web Isolation versions previous to WAI 1.15 may be susceptible to a flag during a vulnerability scan as it supports TLS 1.0/1.1.  


For proxy flow edit records.config:

sudo vi /opt/fireglass/current/ci_infra/ats/config/records.config

set tls 1.1 settings to 0:
CONFIG proxy.config.ssl.TLSv1_1 INT 0
CONFIG proxy.config.ssl.client.TLSv1_1 INT 0


Restart proxy container:

Run 'sudo docker ps | grep fireproxy'

Run ‘sudo docker restart <fireproxy container id>’


For Websocket / Resources get clipr container id:

'sudo docker ps | grep clipr'

Enter container:

‘sudo docker exec -it <clipr container id> bash’

Remove TLSv1.1 from ssl protocols in file ‘/etc/nginx/nginx.conf’

Restart clipr container:

‘sudo docker restart <clipr container id>’


Please note that these changes will not survive upgrade to another 1.14 version.