Trying to ascertain if PFS can be implemented in community edition of Access Server.
Searching for +perfect +forward in this forum in advanced search only returns results containing perfect but not forward.
Though a guru here could advise me if this is possible in Access Server, and if so, how or where the directions are for this.
Information on how to implement this is not easy to find.
thank you.
Perfect Forward Secrecy available by default in Access Server?
-
- OpenVpn Newbie
- Posts: 4
- Joined: Sat Jul 15, 2017 1:40 am
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 4
- Joined: Sat Jul 15, 2017 1:40 am
Re: Perfect Forward Secrecy available by default in Access Server?
2.1.9 on Centos 7
Thanks.
Thanks.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Sat Jul 15, 2017 1:40 am
Re: Perfect Forward Secrecy available by default in Access Server?
Is it even possible to use AS with perfect forward secrecy?
Maybe that's a better question to ask then how to do it.
Lots of cloak and dagger around PFS difficult to find answers. Wonder why?
Maybe that's a better question to ask then how to do it.
Lots of cloak and dagger around PFS difficult to find answers. Wonder why?
- novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: Perfect Forward Secrecy available by default in Access Server?
OpenVPN tunnels are secure, no need to worry about that with this issue. This issue applies purely to the web services. By default ciphers are allowed that supports PFS, and a few for backwards compatibility reasons that don't support PFS. Most ordinary systems will select the more secure ciphers that use PFS. If you run a penetration test with software that will negotiate for the lesser ciphers that don't support PFS, then you will get a result that states that PFS is not supported for those ciphers. If you want to get rid of this warning then disable any ciphers that don't do PFS.
https://docs.openvpn.net/docs/access-se ... phersuites
Use a site such as Qualys Labs SSL to test your system and see which ciphers you want to disable.
So in short, yes, of course AS supports PFS, out of the box. There's no cloak and dagger going on. Just take a look at the cipher suite string and adjust it to your own wishes.
https://docs.openvpn.net/docs/access-se ... phersuites
Use a site such as Qualys Labs SSL to test your system and see which ciphers you want to disable.
So in short, yes, of course AS supports PFS, out of the box. There's no cloak and dagger going on. Just take a look at the cipher suite string and adjust it to your own wishes.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.