Server fails Pen Test scan & DigiCert - insecure Ciphers

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
BLortz
Posts: 1
Joined: Fri Jun 02, 2017 8:45 pm

Server fails Pen Test scan & DigiCert - insecure Ciphers

Post by BLortz » Mon Jun 05, 2017 6:26 pm

The following is true on the following versions of SoftEther - Version 21 and Version 22. It may be true on earlier versions.

We have our softether server setup to listen on Port 5555 with the encryption algorithm name AES256-SHA256.

When we ran a penetration test on the server, port 5555 showed an issue. The scan reported insecure ciphers - TLS_RSA_EITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA, and TLS_RSA_WITH_RC4_128_MD5.

We can also run a test with DigiCert asking it to check for common vulnerabilities and see the same list of ciphers.

On version 22 (the version we are using), we have disabled SSL, and TLS1.0 and TLS1.1. We only have TLS1.2 enabled (which shows on the DigiCert test).

We have a few concerns:
1. How can we find out which cipher was actually negotiated for a connection? We want it to be AES256-SHA256.
2. Is this a real finding or a false positive? If it is a false positive how can we prove that? Even if someone could provide a narrative on why it is a false positive it would be helpful.
3. Is there a config option or patch that would prevent this finding?

Bill
Attachments
Digicert-Capture-2017-0605.JPG
Redacted Screen Print from DigiCert.com test

thisjun
Posts: 2462
Joined: Mon Feb 24, 2014 11:03 am

Re: Server fails Pen Test scan & DigiCert - insecure Cipher

Post by thisjun » Thu Jun 15, 2017 6:02 am

Developer of SoftEther VPN seems loving backward compatibility.
So, SoftEther leave old ciphers for option.

Post Reply