Which cipher suites are accepted by TLSv1.2?

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
u1ukbek
Posts: 3
Joined: Mon May 27, 2019 7:33 am

Which cipher suites are accepted by TLSv1.2?

Post by u1ukbek » Wed Jul 10, 2019 6:13 am

Deal all,

Please confirm or deny acceptance of SoftEther service using only TLSv1.2 following ciphers:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32),
TLS_RSA_WITH_RC4_128_MD5,
TLS_RSA_WITH_RC4_128_SHA.

Where can I find accepted ciphers for specific protocal version? Is it possible to disable specific weak ciphers?
--
Additional info:
- OpenVPN is not used.
- SSL(all), TLS v1.0, v1.1 are disabled.
- OpenVAS scan gave this result:
'Vulnerable' cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

With best regards,
u1ukbek

cladmonitor
Posts: 3
Joined: Tue Nov 13, 2018 6:16 pm

Re: Which cipher suites are accepted by TLSv1.2?

Post by cladmonitor » Tue Sep 17, 2019 4:40 pm

Bump, can somone please weigh in on this?!

The ability to use this is becoming more problematic by the day. There should be no legitimate reason that weak ciphers are enabled by default and even more so that there's no mechanism to choose the cipher suites used.

The OpenVPN components should have some further advanced config to allow or disallow suites, and more modern hashing algorithms.

Simply running https://www.ssllabs.com/ssltest/index.html against a SoftEther server returns scary results that pass no compliance or best practice scrutiny, our developer would love to weigh in on this but starting from the ground up on determining what changes need to be made seem like a massive task and would need somone whos done a deep-dive on the code to get started.

ozone
Posts: 34
Joined: Thu Sep 19, 2019 7:18 pm

Re: Which cipher suites are accepted by TLSv1.2?

Post by ozone » Sat Sep 21, 2019 3:25 pm

+1

I am looking for a solution too to avoid usage of weak ciphers in site to site vpn connections with servers of different makes.

cladmonitor
Posts: 3
Joined: Tue Nov 13, 2018 6:16 pm

Re: Which cipher suites are accepted by TLSv1.2?

Post by cladmonitor » Mon Sep 30, 2019 7:51 pm

Our internal developer (Nick H.) and I have worked through the following and will be presenting several pull requests which expose the ability to harden the openvpn and softether vpn components by doing the following.

1. For softether enforcing encryption server side.
- If this boolean is set to true in the config, encryption will be enforced. If the client is set to "disable encryption" during the negotiation the server will ignore the client and complete the tunnel with encryption. (this is client agnostic, meaning existing client versions do not need any changes)
2. For OpenVPN, only specific ciphers / MDs will be accepted.
- Two new string options in the server config will allow the server to discriminate on allowed ciphers and MDs to connect. (This includes removing the ability to set the cipher to "none")
3. Increasing the Radius time-out.
- The current 10 second maximum radius connection timeout is entirely too small. Since modern MFA has been introduced that holds the radius session open in waiting for a MFA exchange to occur, the 10 seconds and auto-reattempt will cause multiple MFA tokens to be sent/requested which has been a major issue with SE.
4. Cipher Availability Limiting
- Because the web server of softether allows the entire list of ciphers to be exposed for connection (regardless of what is configured using "CipherName") it exposes a tremendous amount of risk that the web server could be an attack vector. We are going to propose a new String value option to limit the available cipher packages within SoftEther in general (this one we are still testing best implementation options).

Thanks,
Eric Sakariasen
CTO
Connetic IT Support

Post Reply