Disable TLS v1.0/1.1 for Proxy flow in Web Isolation

book

Article ID: 209688

calendar_today

Updated On:

Products

Web Isolation

Issue/Introduction

A user may want to disable TLS 1.0/1.1 as a vulnerability mitigation tactic. 

Cause

Web Isolation versions previous to WAI 1.15 may be susceptible to a flag during a vulnerability scan as it supports TLS 1.0/1.1.  

Environment

Release :Pre WAI 1.15.  This issue has been addressed in WAI 1.15.

Component :openSSL 

Resolution

For proxy flow edit records.config:

sudo vi /opt/fireglass/current/ci_infra/ats/config/records.config

set tls 1.1 settings to 0:
CONFIG proxy.config.ssl.TLSv1_1 INT 0
CONFIG proxy.config.ssl.client.TLSv1_1 INT 0

 

Restart proxy container:

Run 'sudo docker ps | grep fireproxy'

Run ‘sudo docker restart <fireproxy container id>’

 

For Websocket / Resources get clipr container id:

'sudo docker ps | grep clipr'

Enter container:

‘sudo docker exec -it <clipr container id> bash’

Remove TLSv1.1 from ssl protocols in file ‘/etc/nginx/nginx.conf’

Restart clipr container:

‘sudo docker restart <clipr container id>’

 

Please note that these changes will not survive upgrade to another 1.14 version.