OpenVPN Support Forum

Hi All,

Our Nessus server is reporting that our OpenVPN AS Server Web Server is allowing weak ciphers and I'm trying to find the right command to disable them.

List of 64-bit block cipher suites supported by the remote server :

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA Kx=ECDH Au=RSA Enc=3DES-CBC(168) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1


I've found this link and command which looks like I can run it on my server, but just trying to confirm the correct syntax:

https://docs.openvpn.net/docs/access-se ... phersuites

cs.openssl_ciphersuites

Thanks,

Daniel

You should removed all ciphers suite with DES on it ...

Yes, but i'm after the correct syntax for this command. I know what we need to do.

Example:
./sacli -k cs.openssl_ciphersuites -v 'DEFAULT:!EXP:!PSK:!SRP:!LOW:!RC4:!kRSA' ConfigPut

I'm trying this:

From this Directory: /usr/local/openvpn_as/scripts

./sacli -k cs.openssl_ciphersuites -v 'DEFAULT:!EXP:!PSK:!SRP:!LOW:!MEDIUM:!RC4:!kRSA:!3DES' ConfigPut
./sacli start
RunStart warm None
{
"errors": {},
"service_status": {
"api": "on",
"auth": "on",
"bridge": "on",
"client_query": "on",
"crl": "on",
"daemon_pre": "on",
"db_push": "on",
"ip6tables_live": "on",
"ip6tables_openvpn": "on",
"iptables_live": "on",
"iptables_openvpn": "on",
"iptables_web": "restarted",
"license": "on",
"log": "on",
"openvpn_0": "on",
"openvpn_1": "on",
"user": "on",
"web": "restarted"
}
}
WILL_RESTART ['web']

Will wait to see the results.

Looks like this has worked.
Will wait a couple more scans to make sure.