Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Loading...
Loading...

HOWTO: Limiting accepted SSL/TLS Protocols

Expand / Collapse


This article applies to:

  • WebMarshal 6.11 and above
  • Note change in behavior for 6.12 and above
  • TLS v1.3 available in 7.3 and above

Question:

  • How do I limit the SSL/TLS versions WebMarshal will use to negotiate secure connections with web servers?
  • How do I limit the SSL/TLS versions WebMarshal will use to negotiate secure connections for client (web browser) connections?
  • What SSL or TLS versions does WebMarshal refuse by default?

Prerequisite:

For these settings to have effect, you must enable WebMarshal HTTPS Content Inspection. You do not need to enable any HTTPS rules to use these settings, but Trustwave recommends that you use a rule to block connections where SSL/TLS could not be negotiated.

Procedure:

In WebMarshal 6.11 and above, by default WebMarshal allows any of TLSv1.0, TLSv1.1, and TLSv1.2 for both client and server HTTPS connections.

  • By default WebMarshal 6.11 does not allow connections using SSLv2 or SSLv3.
  • WebMarshal 6.12 cannot negotiate SSLv2, and by default blocks requests where HTTPS cannot be negotiated as well as connections using SSLv3.

You can change the allowed SSL or TLS versions by adding entries in the WebMarshal Proxy Configuration file (WMProxy.config.xml)

Available values

For all of the below settings, the available values are:

1 = SSLv2 (not available in 6.12 and above)
2 = SSLv3
3 = TLSv1.0
4 = TLSv1.1
5 = TLSv1.2
6 = TLSv1.3 (available in 7.3 and above)

Settings

serverNegotiateSecureMin
The minimum protocol value that WebMarshal will negotiate with a remote server. Default: 2 (SSLv3) for version 6.12 and above; 1 (SSLv2) for 6.11
serverAllowSecureMin
The minimum protocol value that WebMarshal will allow for connections with a remote server. If the negotiated protocol is lower (weaker) than the Allow minimum, the connection will be blocked. Default: 3 (TLSv1)

clientNegotiateSecureMin
The minimum protocol value that WebMarshal will negotiate with a browser or other client software. Default: 2 (SSLv3) for version 6.12 and above; 1 (SSLv2) for 6.11
clientAllowSecureMin
The minimum protocol value that WebMarshal will allow for connections with a browser or other client software. If the negotiated protocol is lower (weaker) than the Allow minimum, the connection will be blocked. Default: 3 (TLSv1)

For any entry that is not set, the default value will be used.

  • Caution: If WebMarshal cannot negotiate a connection, then the connection will be tunnelled through between the browser and server without inspection, UNLESS you enable a rule to block where SSL/TLS could not be negotiated.
    • This fact explains the logic of negotiating any protocol by default.
    • Trustwave recommends that you do block connections where SSL/TLS could not be negotiated.

Example:

To allow SSLv3 connections you could enter:

<WebMarshal> 
   <Proxy>
      <Config>
<SSL serverAllowSecureMin="2" clientAllowSecureMin="2" [other attributes...] />
</Config>
   </Proxy>
</WebMarshal>

Change in version 6.12 and above:

  • SSLv2 is no longer supported through WebMarshal.
  • All configuration options related to SSLv2 are removed from WebMarshal as of version 6.12.
  • When HTTPS inspection is enabled, Trustwave recommends you use the rule condition "Where SSL/TLS could not be negotiated" to block any attempt to connect with SSLv2.
  • A rule to block connections "Where SSL/TLS could not be negotiated" is created and enabled on new installation of version 6.12 and also on upgrade to 6.12.

Additional options and cautions:

  • Best practice is to block the SSLv2 and SSLv3 protocols for all sites. If you have a business need to allow sites that do not support TLS, Trustwave recommends:
    1. Allow SSLv3 as shown in the example above.
    2. Create HTTPS rules to block SSLv2 and SSLv3 connections from all sites/URLS, EXCEPT the specific sites you have a business need to allow.
  • Trustwave recommends you use a HTTPS rule to block all connections where SSL/TLS could not be negotiated. The default rules for new installations of WebMarshal 6.11 and above include this rule.
    • Testing shows that WebMarshal 6.11 may not be able to negotiate SSLv2 connections with some websites. 
    • Legitimate SSLv2-only websites are very rare.

Notes:

  • XML file entries are CASE SENSITIVE. For general notes on editing XML, see article Q12705.
  • You can also take policy based action on the protocol versions, with a HTTPS rule condition.
  • Back up configuration before making changes.
  • Restart the WebMarshal proxy service to apply changes.
  • The file WMProxy.config.xml normally contains additional settings. The ProxySettings, SSL, and FTP nodes can have multiple attributes. Each of these nodes should only occur once.
  • To adjust this setting, only add (or remove) the specific attributes as described above.

To contact Trustwave about this article or to request support:


Rate this Article:
     

Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster
.