Wednesday, April 25, 2018

Requiring at least TLS 1.2 for Snort.org

UPDATE: After some discussion on the mailing lists, and privately, we're going to postpone this until around the 1st of July.


Later this month, (currently planning) around April 25th, we will be forcing everyone who visits Snort.org, either via API (oinkcode) or the website to at least negotiate at TLS version 1.2 or 1.3.

Today we do not enforce this restriction, but as we move more and more things here at Snort / Talos / ClamAV to a more secure environment, we want to make sure everyone is doing so, at the best possible encryption level.

We already enforce HTTPS for every connection to any host on the snort.org domain (to include blog.snort.org starting this week, in case you didn't notice), and all HTTP connections are now redirected to HTTPS.  This change hasn't had any negative impact (as far as we can tell), as only 7% of connections in the past month to the snort.org domain were over HTTP.

What we are concerned about, are very old installations of Snort boxes out there that haven't been updated in some time (we know they exist), not being able to connect to Snort.org anymore.

We are assuming the majority of these to be blocked already, as they are attempting to download version "2.4.4" of the ruleset for example.

However, In an abundance of caution, and to isolate any issues that this may have, I figured I'd write this blog post just in case.

2 comments:

  1. Suse Linux Enterprise Server 11SP4 uses openssl 0.9.8j which doesn't support TLS1.2 so wget etc. will fail for oink updates. SLES11SP4 end of support is March 31, 2019

    ReplyDelete
    Replies
    1. https://www.suse.com/documentation/suse-best-practices/pdfdoc/securitymodule/securitymodule.pdf

      Delete