Limiting accepted SSL/TLS Protocols


This article applies to:

  • WebMarshal 6.11 and above
  • Note change in behavior for 6.12 and above
  • TLS v1.3 available in 7.3 and above

Question:

  • How do I limit the SSL/TLS versions WebMarshal will use to negotiate secure connections with web servers?
  • How do I limit the SSL/TLS versions WebMarshal will use to negotiate secure connections for client (web browser) connections?
  • What SSL or TLS versions does WebMarshal refuse by default?

Prerequisite:

For these settings to have effect, you must enable WebMarshal HTTPS Content Inspection. You do not need to enable any HTTPS rules to use these settings, but Trustwave recommends that you use a rule to block connections where SSL/TLS could not be negotiated.

Procedure:

In WebMarshal 6.11 and above, by default WebMarshal allows any of TLSv1.0, TLSv1.1, and TLSv1.2 for both client and server HTTPS connections.

  • By default WebMarshal 6.11 does not allow connections using SSLv2 or SSLv3.
  • WebMarshal 6.12 cannot negotiate SSLv2, and by default blocks requests where HTTPS cannot be negotiated as well as connections using SSLv3.

You can change the allowed SSL or TLS versions by adding entries in the WebMarshal Proxy Configuration file (WMProxy.config.xml)

Available values

For all of the below settings, the available values are:

1 = SSLv2 (not available in 6.12 and above)
2 = SSLv3
3 = TLSv1.0
4 = TLSv1.1
5 = TLSv1.2
6 = TLSv1.3 (available in 7.3 and above)

Settings

serverNegotiateSecureMin
The minimum protocol value that WebMarshal will negotiate with a remote server. Default: 2 (SSLv3) for version 6.12 and above; 1 (SSLv2) for 6.11
serverAllowSecureMin
The minimum protocol value that WebMarshal will allow for connections with a remote server. If the negotiated protocol is lower (weaker) than the Allow minimum, the connection will be blocked. Default: 3 (TLSv1)

clientNegotiateSecureMin
The minimum protocol value that WebMarshal will negotiate with a browser or other client software. Default: 2 (SSLv3) for version 6.12 and above; 1 (SSLv2) for 6.11
clientAllowSecureMin
The minimum protocol value that WebMarshal will allow for connections with a browser or other client software. If the negotiated protocol is lower (weaker) than the Allow minimum, the connection will be blocked. Default: 3 (TLSv1)

For any entry that is not set, the default value will be used.

  • Caution: If WebMarshal cannot negotiate a connection, then the connection will be tunnelled through between the browser and server without inspection, UNLESS you enable a rule to block where SSL/TLS could not be negotiated.
    • This fact explains the logic of negotiating any protocol by default.
    • Trustwave recommends that you do block connections where SSL/TLS could not be negotiated.

Example:

To allow SSLv3 connections you could enter:

<WebMarshal> 
   <Proxy>
      <Config>
<SSL serverAllowSecureMin="2" clientAllowSecureMin="2" [other attributes...] />
</Config>
   </Proxy>
</WebMarshal>

Change in version 6.12 and above:

  • SSLv2 is no longer supported through WebMarshal.
  • All configuration options related to SSLv2 are removed from WebMarshal as of version 6.12.
  • When HTTPS inspection is enabled, Trustwave recommends you use the rule condition "Where SSL/TLS could not be negotiated" to block any attempt to connect with SSLv2.
  • A rule to block connections "Where SSL/TLS could not be negotiated" is created and enabled on new installation of version 6.12 and also on upgrade to 6.12.

Additional options and cautions:

  • Best practice is to block the SSLv2 and SSLv3 protocols for all sites. If you have a business need to allow sites that do not support TLS, Trustwave recommends:
    1. Allow SSLv3 as shown in the example above.
    2. Create HTTPS rules to block SSLv2 and SSLv3 connections from all sites/URLS, EXCEPT the specific sites you have a business need to allow.
  • Trustwave recommends you use a HTTPS rule to block all connections where SSL/TLS could not be negotiated. The default rules for new installations of WebMarshal 6.11 and above include this rule.
    • Testing shows that WebMarshal 6.11 may not be able to negotiate SSLv2 connections with some websites. 
    • Legitimate SSLv2-only websites are very rare.

Notes:

  • XML file entries are CASE SENSITIVE. For general notes on editing XML, see article Q12705.
  • You can also take policy based action on the protocol versions, with a HTTPS rule condition.
  • Back up configuration before making changes.
  • Restart the WebMarshal proxy service to apply changes.
  • The file WMProxy.config.xml normally contains additional settings. The ProxySettings, SSL, and FTP nodes can have multiple attributes. Each of these nodes should only occur once.
  • To adjust this setting, only add (or remove) the specific attributes as described above.

Last Modified 1/28/2019.
https://support.trustwave.com/kb/KnowledgebaseArticle20067.aspx