GFI Software Aurea SMB Solutions


Home » Product Feedback » GFI LanGuard Feedback » TLS 1.2 support and cipher suite configuration (Add support for TLS 1.2 and advanced configuration of httpd)
TLS 1.2 support and cipher suite configuration [message #148393] Mon, 06 July 2020 19:03
havx is currently offline  havx
Messages: 1
Registered: July 2020
Please add support for and the option to configure the LanGuard server and agents to use TLS 1.2 for communication as well as the ability to configure which cipher suites are accepted.

You could add advanced configuration settings to the application GUI. Or another suggested way to go about this could be simply adding an "Include product/product-ssl.conf" to the "..\GFI\LanGuard 12\HttpdConfig\product.conf" file and in the new editable "product-ssl.conf" file the user can enable/disable SSL protocols and set the accepted cipher suites. This file could be just five lines (example below with my desired settings):
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!DSS:!DH
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!DSS:!DH
SSLHonorCipherOrder on
SSLProtocol TLSv1.2
SSLProxyProtocol TLSv1.2

This absolutely cannot require FIPS mode to be enabled or used in Windows. FIPS mode is unnecessary and is an archaic group policy that actually makes the Windows system less secure. There are a plethora of resources online that detail how to edit the Windows registry to configure which protocols and cipher suites are enabled/disabled for Schannel; which is what FIPS mode will edit but FIPS mode makes bad and old choices for protocols, ciphers, and more. The IIS Crypto tool from nartac is also a great resource to do this the right the way. Regardless, httpd used by LanGuard still needs to be configurable as well.
Previous Topic: BitLocker status reporting
Next Topic: Localip.txt processing
Goto Forum:
  


Current Time: Fri Oct 23 04:29:06 CEST 2020

Total time taken to generate the page: 0.03404 seconds