| TLS 1.2 support and cipher suite configuration [message #148393] |
Mon, 06 July 2020 19:03 |
havx
Messages: 1
Registered: July 2020
|
|
|
|
Please add support for and the option to configure the LanGuard server and agents to use TLS 1.2 for communication as well as the ability to configure which cipher suites are accepted.
You could add advanced configuration settings to the application GUI. Or another suggested way to go about this could be simply adding an "Include product/product-ssl.conf" to the "..\GFI\LanGuard 12\HttpdConfig\product.conf" file and in the new editable "product-ssl.conf" file the user can enable/disable SSL protocols and set the accepted cipher suites. This file could be just five lines (example below with my desired settings):
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!DSS:!DH
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!DSS:!DH
SSLHonorCipherOrder on
SSLProtocol TLSv1.2
SSLProxyProtocol TLSv1.2
This absolutely cannot require FIPS mode to be enabled or used in Windows. FIPS mode is unnecessary and is an archaic group policy that actually makes the Windows system less secure. There are a plethora of resources online that detail how to edit the Windows registry to configure which protocols and cipher suites are enabled/disabled for Schannel; which is what FIPS mode will edit but FIPS mode makes bad and old choices for protocols, ciphers, and more. The IIS Crypto tool from nartac is also a great resource to do this the right the way. Regardless, httpd used by LanGuard still needs to be configurable as well.
|
|
|
|
Members
Search
Help
Register
Login
Home
