How to Disable TLS 1.0 on Sophos UTM for PCI Compliance

Trying to pass PCI Compliance with your Sophos UTM? Good luck. You can’t as of 12/15/2015. Maybe someday they’ll release an update that allows you to easily “check” a box. Until then, welcome to the Sophos Command Line!

Warning: I’m a Linux beginner. But these steps worked for me. By the way, Sophos said this voids the support warranty. When I pressed the issue, they stated it doesn’t void my support agreement. I still don’t understand what it voids so proceed with caution.

  1. In the Sophos Dashboard, go to Management > System Settings > Shell Access. Create a password for root and loginuser and click the “Set Specified Passwords” box. Then, make sure the network you’re connecting from is in Allowed Networks. Finally, make sure “Allow password authentication” is checked. Hit Apply and again, make sure the green “On/off” switch is ON at the top right corner.
  2. Go download and install Putty and WinSCP.
  3. Start with WinSCP. We’re going to make a backup, first.
    1. Enter the IP and Port (2222) and connect to your Sophos UTM.
    2. Go ‘up’ a few levels until you’re at the Root folder. Then, navigate towards the /var/chroot-httpd/etc/httpd directory.
    3. Download the httpd.conf file by dragging the file from the right side to the left side (like FTP).
    4. Great. We have a backup with the original text inside. Disconnect your session. I have no idea how to restore, btw. That’s how much I suck. But we have a backup!! 🙂
  4. Start Putty and connect to the same IP and port. We’re going to edit that same httpd.conf file in the command line.
    1. First, login with loginuser and press enter.
    2. Type su then press enter.
    3. Enter your root password and press enter.
    4. Type CD / and press enter. You’re at root now.
    5. Now type CD var/chroot-httpd/etc/httpd and press enter.
    6. To edit the file type vi httpd.conf and press enter.
    7. Use the down arrow key to scroll down near the bottom of the file. You’re looking for SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
    8. Once you spot it, press the Insert key on your keyboard and use the keyboard to change the +TLSv1 to TLSv1
    9. Press ESC to exit the editing mode.
    10. Now press : (you might have to press enter after typing the colon). This should take you to the bottom of the screen.
    11. After the : type x and press enter. This should save the file and get you back to the command  line.
    12. At the command line, paste this entire code and hit enter to restart httpd:
      /etc/init.d/httpd restart
    13. Once it restarts, at the command line, you can verify TLS 1.0 is disabled by pasting this line and pressing enter:
      openssl s_client -connect localhost:4444 -tls1
    14. If properly disabled, it will say the handshake failed or something similar.
    15. Type quit and close Putty. You’re done.

Note: You’ll need to repeat these steps every time you update the Sophos UTM firmware. Thanks for nothing, Sophos. 😦

Huge thanks to Colorado State University for the VI commands above.