Home / server / Questions / 724219
In Process
mjn
Asked: 2015-09-24 00:17:53 +0800 CST

Sophos firewall default settings do not allow HTTPS from Java 6 clients

  • 772

Our current (default) Sophos firewall (Apache reverse proxy) settings does not allow Java 6 clients to connect over HTTPS. The ssltest result shows that the reason is "Client does not support DH parameters > 1024 bits".

ssltest reports with 'A' rating for other sites (e.g. https://bsi.de) prove that there are ways to configure a HTTPS firewall so that Java 6 clients are able to connect.

We contacted Sophos support. Their answer was that we should not lower our security settings. Instead, our client should consider a Java upgrade.

Both answers certainly sound reasonable. However we have no influence on the IT configuration of our client.

Question: is it possible to configure a Apache reverse proxy so that incoming Java 6 HTTPS connections are possible, without lowering security?

If I compare our server cipher suites with a server who supports Java 6 HTTPS connections, I can see that we have more ciphers enabled, so I guess that the reason for Java 6 connectivity problems is one of the extra ciphers. However I guess that removing some of DH ciphers could introduce connectivity problems with other clients.

Our client asked us to remove all DHE ciphers. These are:

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA

We have several TLS_ECDHE_ ciphers installed.

A related article at https://security.stackexchange.com/questions/97750/usage-of-ephemeral-diffie-hellman-ciphers-in-2015-and-beyond says that

TLS_DHE_xxx cipher suites are not used much in the wild - Only one site (Wikipedia.org) in the top ten sites on Alexa.com actually uses them. None of the others do, instead relying on TLS_ECDHE_xxx or TLS_RSA_xxx ciphers. From this, I can only deduce that there are not many browsers out there that are affected by not using these ciphers, otherwise these large sites would be cutting people off.

So I guess it is safe to remove these ciphers if we know that no clients are require them, and see what happens.

firewall

0 Answers