SSL cipher support

Thanks for the information about the fact that there won't be a general firmware with SSL TLS due to the ultralow voltage microprocessor. I could find no references to that on this support forum, only references to a public beta build with it included and open discussion items.

I do understand the issue with the man-in-the-middle, and ideally removal of the cipher would be the best option. In this circumstance I think using the built-in firewall is going to be my best option. But I would like to take a moment for why myself and others may bring it up. Really twofold.
First would be manageability. As I mentioned, modern browsers hard stop on the old ciphers. After much trial and error, I identified that Firefox ESR 31.0 works, but Firefox ESR 31.8 does not. Somewhere in the versions between 31.0 and 31.8 SSLv3 is disabled.
Second is our annoying security team. Our devices are in a LAN environment without public access. That does not stop security from scanning all known devices for security issues. And the CVSS base score for this is a 9.8, on a ten scale. I am sure everyone's different, but in our case all these scans go against a 'security reportcard' that our cyber insurance provider uses to base our premium against. Yes, I will be using the built-in firewall to hide the devices from the security scanners. Security-thru-obscurity is just not an ideal situation.

Comments

  • AdministratorAdministrator
    edited August 18
    In the next release of the firmware it will be possible to disable the web server all together and only leave those protocols open that you need - typically SNMP or Modbus TCP.

    A work-around today is by using an invalid IP address in the firewall for web access.

    The next gen Sensorgateway will support TLS.

    For specific customers we have also designed non generic custom firmware with TLS. However support aof ll current firmware features and TLS on the chip is not possible.

    Depending on what features you need, the beta version on this forum could also do the trick for you.
Sign In or Register to comment.