1

Our company network uses a Sophos firewall with an Apache reverse-proxy, which is configured to allow HTTPS connections.

After we realized that some of our clients can not connect over HTTPS, our internal network department told us that the OpenSSL settings of the Apache reverse proxy may be adjusted to our specific needs, but the settings might get overwritten with every Sophos firewall update.

Is there a way to protect the OpenSSL configuration so that Sophos updates will not be able to change it?

'Bonus' questions: is it a common feature of commercial firewall products to override customer configuration? ;)

mjn
  • 933
  • 2
  • 12
  • 26

1 Answers1

2

Well, you can make the file immutable:

$ sudo chattr +i /path/to/filename

To get around that, the Sophos installer would have to remove the immutable flag before writing the file, which I very much doubt they're doing. This may break their installer, though. You should make sure you have a copy of the OpenSSL config in your config management system so that you can re-deploy it if needed.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • Ok, we could try this or a way to apply a scripted "patch" after every update. Actually we only need to take care of the SSL cipher suite, which is one parameter line in the config file – mjn Oct 29 '15 at 15:45
  • Yah, there's no way to protect a single line. You'll need to script this out. – EEAA Oct 29 '15 at 15:46