You are here

CBC-Ciphers removed in Airlock Gateway 7.5

Affects product: 
Airlock WAF
Affects version(s): 

With Airlock Gateway 7.5, the default cipher suites have changed (AP-25739) for external HTTPS connections and connections to the Configuration Management (GUI and REST). The cipher suites no longer contain CBC-mode ciphers [1], because they have been considered weak for years and several attacks exploiting these weaknesses are known [2]. Most block ciphers today use GCM [3] as an alternative.

Removing weak ciphers usually comes with a compromise regarding the support of old clients. By removing the corresponding ciphers, Airlock Gateway will no longer support certain browsers released before 2015. Examples of such unsupported browsers are:

  • IE 11 / Win Phone 8
  • Safari 8 / OS X 10.10

In addition, we changed the TLS settings for the "Allow low strength ciphers" setting on virtual hosts. Before Airlock Gateway 7.5, the option enabled the older TLS protocol versions 1.0 and 1.1. Starting with Gateway 7.5, the option no longer affects the default TLS protocol versions, which are 1.2 and 1.3. The low-strength cipher suites still accept CBC-mode ciphers and can therefore be enabled to support browsers like the ones mentioned above.

We recommend using the default TLS settings of Airlock Gateway. Weakening TLS settings may result in low scores for TLS scanners like or pentesters reporting the security issues associated with old ciphers and protocols.

However, if these settings are too restrictive, we recommend to selectively activate the low-strength cipher suites on affected virtual hosts. If you need to be even more permissive, e.g. because very old clients without TLS 1.2 support must be admitted, there is always the option of configuring the corresponding TLS settings using Apache Expert Settings.

Example: In order to activate TLS 1.0 and TLS 1.1, as well as old cipher suites:

  • Enable the "Allow low strength ciphers" checkbox on the virtual host
  • Configure the apache expert setting

SSLProtocol all -SSLv3

on the corresponding virtual host. (This directive does not work in the global Apache Expert settings due to technical restrictions of the Apache HTTP Server.)


Knowledge Base Categories: