Perfect Forward Secrecy available by default in Access Server?

Post Reply
bulgin
OpenVpn Newbie
Posts: 4
Joined: Sat Jul 15, 2017 1:40 am

Perfect Forward Secrecy available by default in Access Server?

Post by bulgin » Sat Jul 15, 2017 1:43 am

Trying to ascertain if PFS can be implemented in community edition of Access Server.

Searching for +perfect +forward in this forum in advanced search only returns results containing perfect but not forward.

Though a guru here could advise me if this is possible in Access Server, and if so, how or where the directions are for this.

Information on how to implement this is not easy to find.

thank you.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2997
Joined: Fri Jun 03, 2016 1:17 pm

Re: Perfect Forward Secrecy available by default in Access Server?

Post by TinCanTech » Sat Jul 15, 2017 3:00 am

What version ? :roll:

bulgin
OpenVpn Newbie
Posts: 4
Joined: Sat Jul 15, 2017 1:40 am

Re: Perfect Forward Secrecy available by default in Access Server?

Post by bulgin » Sat Jul 15, 2017 2:16 pm

2.1.9 on Centos 7

Thanks.

bulgin
OpenVpn Newbie
Posts: 4
Joined: Sat Jul 15, 2017 1:40 am

Re: Perfect Forward Secrecy available by default in Access Server?

Post by bulgin » Sun Jul 16, 2017 12:11 am

Is it even possible to use AS with perfect forward secrecy?

Maybe that's a better question to ask then how to do it.

Lots of cloak and dagger around PFS difficult to find answers. Wonder why?

novaflash
OpenVPN Expert
Posts: 441
Joined: Fri Apr 13, 2012 8:43 pm

Re: Perfect Forward Secrecy available by default in Access Server?

Post by novaflash » Sun Jul 23, 2017 10:33 am

OpenVPN tunnels are secure, no need to worry about that with this issue. This issue applies purely to the web services. By default ciphers are allowed that supports PFS, and a few for backwards compatibility reasons that don't support PFS. Most ordinary systems will select the more secure ciphers that use PFS. If you run a penetration test with software that will negotiate for the lesser ciphers that don't support PFS, then you will get a result that states that PFS is not supported for those ciphers. If you want to get rid of this warning then disable any ciphers that don't do PFS.

https://docs.openvpn.net/docs/access-se ... phersuites

Use a site such as Qualys Labs SSL to test your system and see which ciphers you want to disable.

So in short, yes, of course AS supports PFS, out of the box. There's no cloak and dagger going on. Just take a look at the cipher suite string and adjust it to your own wishes.

Post Reply