Skip to main content
Support

KB Article #178624

Upgrade report warns that it is recommended to turn off SSLv2 and SSLv3.

Problem

When upgrading a configuration, it warns you to turn off insecure protocols like SSLv2 or SSLv3

REPORT 01/May/2017:00:00:00.000 [00000:000000000000000000000000] @UPGRADE(@LABEL(SSL/TLS protocols.)@TYPE(SSL_OPTIONS),@SEVERITY(WARNING),@DESC(Consider reconfiguring SSL/TLS protocols, it is recommended to turn off SSLv2 and SSLv3.)@ESPK(/[CircuitContainer]name=Policy Library/[CircuitContainer]name=Routing Policies/[FilterCircuit]name=Route Connection/[ConnectionFilter]name=Connection))

Resolution

Both the SSLv2 and SSLv3 protocols are broken and they can no longer be used securely. SSLv2 was deprecated in RFC 6176 in 2011. Similarly, the SSLv3 protocol was broken by the POODLE vulnerability and it can no longer be used securely. The use of either protocol will be flagged as a security vulnerability by most security audits and should be avoided.


As of 7.5.3, Connect to URL filters have an option to control what protocols they will use when connecting outwards. These should be set to allow only TLS 1.0 or higher. All SSL ports should also be configured to disable the SSLv2 and SSLv3 protocols. Old style Connection filters are deprecated and should be replaced with Connect to URL filters.