Activation of old SSL/TLS and cipher suites

With Airlock Gateway 7.5, the default cipher suites have changed for external HTTPS connections and connections to the Configuration Management (GUI and REST API). The cipher suites no longer contain CBC-mode ciphers, because they have been considered weak for years and several attacks exploiting these weaknesses are known. Most block ciphers today use GCM as an alternative.

Removing weak ciphers usually comes with a compromise regarding the support of old clients. By removing the corresponding ciphers, Airlock Gateway 7.5 will no longer support certain browsers released before 2015.

  • Examples of such unsupported browsers are:
  • IE 11 / Win Phone 8
  • Safari 8 / OS X 10.10

In addition, we changed the TLS settings for the "Allow low strength ciphers" setting on virtual hosts. Before Airlock Gateway 7.5, the option enabled the older TLS protocol versions 1.0 and 1.1. Starting with Gateway 7.5, the option no longer affects the default TLS protocol versions, which are 1.2 and 1.3.

The low-strength cipher suites still accept CBC-mode ciphers and can therefore be enabled to support browsers like the ones mentioned above.

We strongly recommend using the default TLS settings of Airlock Gateway in order to mitigate the risk of attacks based on older protocol versions. A list of known attacks on SSL/TLS can be found here: Attacks on TLS and Airlock Gateway Protection Mechanisms

Weakening SSL/TLS settings will most likely result in low scores for scanners like ssllabs.com or pentester reporting the security issues associated with old ciphers and protocols.

Activation of old SSL/TLS and cipher suites

If the default settings are too restrictive, we recommend to selectively activating the low-strength cipher suites on affected virtual hosts.

If you need to be even more permissive, e.g. because very old clients without TLS 1.2 support must be admitted, configure the corresponding SSL/TLS settings.

  1. To activate TLS 1.0 and TLS 1.1, as well as old cipher suites:
  2. Go to:
    Application Firewall >> Reverse Proxy and choose the virtual host you want to edit.
  3. Select Tab – SSL and enable the "Allow low strength ciphers" checkbox on the virtual host.
  4. If required, configure the SSL protocol version, e.g.:
  5. copy
    SSLProtocol all -SSLv3
  6. If required, configure the SSL/TLS Cipher suite option, e.g.:
  7. copy
    SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305...

The instructions do not work in the global Apache Expert settings due to technical restrictions of the Apache HTTP Server.