Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  disable tls version 1.0 and 1.1 imperva

    Posted 07-23-2020 12:06
    Dear Team,

    We have requirement to disable TLS version in existing imperva Devices

    Version we are going to disable it = TLS 1.0 and 1.1.

    Model  information

    Imperva WAF , Secure Sphere x2010


    We will appreciate if some one give earliest answer .
    #Advanced Bot Protection
    #API Security
    #Account Take Over
    #Attack Analytics
    #Cloud WAF (formerly Incapsula)
    #Cloud Data Security
    #Content Delivery Network
    #Database Activity Monitoring
    #Data Masking (formerly Camouflage)
    #Data Risk Analytics (formerly CounterBreach)
    #DDoS Protection for Networks
    #DDoS Protection for Websites
    #Imperva Agent
    #Load Balancer
    #On-PremisesWAF(formerlySecuresphere)
    #RASP
    #zOS Agent
    #All Imperva

    ------------------------------
    Harmesh Yadav
    Velocis Systems PVT LTD
    Pune
    ------------------------------


  • 2.  RE: disable tls version 1.0 and 1.1 imperva

    Posted 07-26-2020 11:21
    Here is some information that one of our specialist recommended @Alex B

    Before you do this, test it first in non production, and make the change during a maintenance window.

    Assuming you are running in reverse proxy: 

    ​Enable\Disable ciphers\TLS versions without GW restart Skip to end of metadata
    • This configuration affects TLS Handshakes for RP GWs only, as Bridge GW doesn't control the TLS handhake negotiation done between the client and server.
      In case of disabling ciphers when in Bridge mode– it means that in case the disabled ciphers were agreed by the client and servers, the GW won't be able to support their SSL session. 
    • This advanced configuration is supported from v11.5 and above. In case of using older vesrions, try changing the ciphers list to be aligned with the list available in bootstrap.xml file. 

    Go to Gateway screen > *Gateway group* > Advanced Configuration (Right pane below).
    Paste the following in the text box (and edit which ciphers & TLS versions you would like to be enabled\disabled), and save:

    <kssl-config>

    <kssl dh-key-size="1024">

      <TLS_DHE_RSA_WITH_AES_256_CBC_SHA256>false</TLS_DHE_RSA_WITH_AES_256_CBC_SHA256>

      <TLS_DHE_RSA_WITH_AES_128_CBC_SHA256>false</TLS_DHE_RSA_WITH_AES_128_CBC_SHA256>

      <TLS_RSA_WITH_AES_256_CBC_SHA256>false</TLS_RSA_WITH_AES_256_CBC_SHA256>

      <TLS_RSA_WITH_AES_128_CBC_SHA256>false</TLS_RSA_WITH_AES_128_CBC_SHA256>

      <TLS_RSA_WITH_AES_128_GCM_SHA256>false</TLS_RSA_WITH_AES_128_GCM_SHA256>

      <TLS_RSA_WITH_AES_256_GCM_SHA384>false</TLS_RSA_WITH_AES_256_GCM_SHA384>

      <TLS_DHE_RSA_WITH_AES_128_GCM_SHA256>false</TLS_DHE_RSA_WITH_AES_128_GCM_SHA256>

      <TLS_DHE_RSA_WITH_AES_256_GCM_SHA384>false</TLS_DHE_RSA_WITH_AES_256_GCM_SHA384>

      <TLS_RSA_WITH_AES_256_CBC_SHA>true</TLS_RSA_WITH_AES_256_CBC_SHA>

      <TLS_RSA_WITH_NULL_SHA256>false</TLS_RSA_WITH_NULL_SHA256>

      <TLS_DHE_RSA_WITH_AES_256_CBC_SHA>false</TLS_DHE_RSA_WITH_AES_256_CBC_SHA>

      <TLS_DHE_RSA_WITH_AES_128_CBC_SHA>true</TLS_DHE_RSA_WITH_AES_128_CBC_SHA>

      <TLS_RSA_WITH_AES_128_CBC_SHA>true</TLS_RSA_WITH_AES_128_CBC_SHA>

      <SSL_RSA_WITH_RC4_128_MD5>false</SSL_RSA_WITH_RC4_128_MD5>

      <SSL_RSA_WITH_RC4_128_SHA>false</SSL_RSA_WITH_RC4_128_SHA>

      <SSL_DHE_RSA_WITH_DES_CBC_SHA>false</SSL_DHE_RSA_WITH_DES_CBC_SHA>

      <SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA>false</SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA>

      <SSL_RSA_WITH_DES_CBC_SHA>false</SSL_RSA_WITH_DES_CBC_SHA>

      <SSL_RSA_WITH_3DES_EDE_CBC_SHA>false</SSL_RSA_WITH_3DES_EDE_CBC_SHA

    <SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA>false</SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA>

      <SSL_RSA_EXPORT_WITH_RC4_40_MD5>true</SSL_RSA_EXPORT_WITH_RC4_40_MD5>

      <TLS_RSA_EXPORT1024_WITH_RC4_56_SHA>false</TLS_RSA_EXPORT1024_WITH_RC4_56_SHA>

      <TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA>false</TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA>

      <TLS_RSA_EXPORT1024_WITH_RC4_56_MD5>true</TLS_RSA_EXPORT1024_WITH_RC4_56_MD5>

      <SSL_RSA_EXPORT_WITH_DES40_CBC_SHA>false</SSL_RSA_EXPORT_WITH_DES40_CBC_SHA>

      <SSL_RSA_WITH_NULL_MD5>false</SSL_RSA_WITH_NULL_MD5>

      <SSL_RSA_WITH_NULL_SHA>false</SSL_RSA_WITH_NULL_SHA>

      <TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA>true</TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA>

      <TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA>true</TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA>

      <TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256>true</TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256>

      <TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384>true</TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384>

    </kssl>

    <tls-supported-versions>

        <client>

          <SSL_3_0>false</SSL_3_0>

          <TLS_1_0>true</TLS_1_0>

          <TLS_1_1>true</TLS_1_1>

          <TLS_1_2>true</TLS_1_2>

        </client>

        <server>

          <SSL_3_0>false</SSL_3_0>

          <TLS_1_0>true</TLS_1_0>

          <TLS_1_1>true</TLS_1_1>

          <TLS_1_2>true</TLS_1_2>

        </server>

      </tls-supported-versions>

    </kssl-config>

    Notes:

    The <client> tag responsible for the connection between client and GW.

    The <server> tag responsible for the connection between the GW and server.

    the kssl enabled ciphers affects the GW's available ciphers for both sides.

    That's it.

     

    ​​

    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva
    ------------------------------



  • 3.  RE: disable tls version 1.0 and 1.1 imperva

    Posted 08-05-2020 13:32
    @Harmesh Yadav, as a follow up to this,  ​Kssl AC is less recommended for customers with versions 13.0 and above This is since we have a better and user friendly tool --> SSL Settings. Additionally, Kssl AC suffers from issues that are known by Imperva. 

    This doc should be able to help around Configuring SSL Setting - In this doc, you will be shown how to configure SecureSphere / WAF Gateway to provide increased protection against Transport Layer attacks. This enables you to inspect, alert and mitigate violations also in SSL. 


    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva
    ------------------------------