KB Article #178624
Upgrade report warns that it is recommended to turn off SSLv2 and SSLv3.
Problem
When upgrading a configuration, it warns you to turn off insecure protocols like SSLv2 or SSLv3
REPORT 01/May/2017:00:00:00.000 [00000:000000000000000000000000]
@UPGRADE(@LABEL(SSL/TLS
protocols.)@TYPE(SSL_OPTIONS),@SEVERITY(WARNING),@DESC(Consider
reconfiguring SSL/TLS protocols, it is recommended to turn off SSLv2 and
SSLv3.)@ESPK(/[CircuitContainer]name=Policy
Library/[CircuitContainer]name=Routing
Policies/[FilterCircuit]name=Route Connection/[ConnectionFilter]name=Connection))
Resolution
Both the SSLv2 and SSLv3 protocols are broken and they can no longer be used securely. SSLv2 was deprecated in RFC 6176 in 2011. Similarly, the SSLv3 protocol was broken by the POODLE vulnerability and it can no longer be used securely. The use of either protocol will be flagged as a security vulnerability by most security audits and should be avoided.
As of 7.5.3, Connect to URL filters have an option to control what protocols they will use when connecting outwards. These should be set to allow only TLS 1.0 or higher. All SSL ports should also be configured to disable the SSLv2 and SSLv3 protocols. Old style Connection filters are deprecated and should be replaced with Connect to URL filters.