Open VPN AS Web Server - Ciphers

[dfisicaro]

Hi All,

Our Nessus server is reporting that our OpenVPN AS Server Web Server is allowing weak ciphers and I'm trying to find the right command to disable them.

List of 64-bit block cipher suites supported by the remote server :

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA Kx=ECDH Au=RSA Enc=3DES-CBC(168) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1


I've found this link and command which looks like I can run it on my server, but just trying to confirm the correct syntax:

https://docs.openvpn.net/docs/access-se ... phersuites

cs.openssl_ciphersuites

Thanks,

Daniel

[ThierryIT69]

You should removed all ciphers suite with DES on it ...

[dfisicaro]

Yes, but i'm after the correct syntax for this command. I know what we need to do.

Example:
./sacli -k cs.openssl_ciphersuites -v 'DEFAULT:!EXP:!PSK:!SRP:!LOW:!RC4:!kRSA' ConfigPut

[dfisicaro]

I'm trying this:

From this Directory: /usr/local/openvpn_as/scripts

./sacli -k cs.openssl_ciphersuites -v 'DEFAULT:!EXP:!PSK:!SRP:!LOW:!MEDIUM:!RC4:!kRSA:!3DES' ConfigPut
./sacli start
RunStart warm None
{
"errors": {},
"service_status": {
"api": "on",
"auth": "on",
"bridge": "on",
"client_query": "on",
"crl": "on",
"daemon_pre": "on",
"db_push": "on",
"ip6tables_live": "on",
"ip6tables_openvpn": "on",
"iptables_live": "on",
"iptables_openvpn": "on",
"iptables_web": "restarted",
"license": "on",
"log": "on",
"openvpn_0": "on",
"openvpn_1": "on",
"user": "on",
"web": "restarted"
}
}
WILL_RESTART ['web']

Will wait to see the results.

[dfisicaro]

Looks like this has worked.
Will wait a couple more scans to make sure.