The recent round of Windows Updates released on 10/11/16, now correctly identifies sites with poor encryption levels when using Internet Explorer (IE) 11. The quick fix (not recommended) is to enable Secure Sockets Layer (SSL) 3.0, Transport Layer Security (TLS) 1.0, TLS 1.1 and TLS 1.2 in the Settings (Gear), Internet Options, Advanced Tab in IE to gain access to these sites using weak encryption. The only encryption protocol you should use with SSL is TLS 1.2. All versions prior to TLS 1.2 have been deprecated because of the Heartbleed and Poodle vulnerabilities. To fix this issue on the Sonicwall SSL VPN Appliances:
- Verify you are running the latest version of the SSL VPN firmware. As of this date the latest version of the SSL VPN virtual appliance is 8.1.0.5.
- Make sure you have a valid commercial SSL Certificate installed on the SSL VPN Appliance. This will help protect against man in the middle attacks.
- Login into the SSL VPN as Admin to the Local Domain.
- In the address bar of your browser manually change the address to https://<fqdn_of_the_SSL_VPN_Appliance>/cgi-bin/diag
- Click on Internal Settings.
- Under SSL Settings clear the checkbox Use only RC4-SHA Cipher for SSL Transactions.
- Click Accept.
- Click Go Back.
- Under System, Administration under Global SSL/TLS Settings, only select TLSV1.2.
- Optionally you can also check Enforce Forward Secrecy to protect against a Private Key compromise.
- Open up a browser and navigate to https://www.ssllabs.com/ssltest/ Enter the FQDN of the SSL VPN and click Submit. If you've already scanned the site, click Clear cache to force a rescan of your site. You should now receive an A Grade. The previous grade prior to making these changes will be an F. Of course you can use this site to test other web servers running SSL encryption.
Please stay safe everyone!