A while back I was getting a grade of "A" from ssllabs.com for my USG100. Now it is down to a "C" for the following reasons:
-Upgrade to SHA2 to avoid browser warnings.
-The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C.
-The server does not support Forward Secrecy with the reference browsers.
I don't expect the Zywall USG 100 to last forever nor handle the increased processing power for updated ciphers so I am hoping the USG110 can handle these issues.
The SHA2 is now addressed with the latest firmware for the USG110 (hopefully it works). It also seem that they went one level higher with the DH. I would like more variants of forward secrecy covered. And then there is the big item is the TLS 1.2.
Has anyone else run ssllabs.com against a USG110 using SSLVPN?
Any word on unaddressed above weakness from Zyxel (rumors accepted). I am well aware of the current SSLVPN limitations (Java browser support and Internet Explorer facing extinction.) I did apply the 2015 week 49 patches (thank you Brano) which addresses numerous bugs and logjam and also removed this:
-This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B
I did retest this to a control Zywall USG 100 just in case this online test had changed (it evidently did not).
↧