Hello after some internal security scan to my OpenVPN access server it was found that the web server has the following weak ciphers enabled:
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA
I want to know how to disable them.
Regards
How to disable Openvpn Access Server web server weak ciphers
-
rodrigoechaide
- OpenVpn Newbie
- Posts: 3
- Joined: Mon May 31, 2021 8:33 am
-
openvpn_inc
- OpenVPN Inc.
- Posts: 1332
- Joined: Tue Feb 16, 2021 10:41 am
Re: How to disable Openvpn Access Server web server weak ciphers
Hello rodrigoechaide,
We try to select a reasonable default for you to strike a balance between stability, compatibility, and security. The definition of weak is always changing in the world of security. Therefore we allow a custom cipher suite string to be specified so you can tailor it to your needs. See this page for details:
https://openvpn.net/vpn-server-resource ... web-server
In this particular case though what you'll probably want to do is go to the Admin UI and go to TLS Settings and configure the web service to allow only TLS 1.3. The test you're running should then not be able to use those ciphers anymore.
Note that this might have some effect on older clients trying to use older server-locked profiles or cause issues with importing profiles on some clients. If you don't want that, then stick to TLS 1.2 and investigate implementing a custom cipher suite that removes those ciphers you don't like. As always if you deviate from recommended defaults, you may end up accidentally shooting yourself in the foot. But with care and testing you should be able to achieve the result that you want.
Kind regards,
Johan
We try to select a reasonable default for you to strike a balance between stability, compatibility, and security. The definition of weak is always changing in the world of security. Therefore we allow a custom cipher suite string to be specified so you can tailor it to your needs. See this page for details:
https://openvpn.net/vpn-server-resource ... web-server
In this particular case though what you'll probably want to do is go to the Admin UI and go to TLS Settings and configure the web service to allow only TLS 1.3. The test you're running should then not be able to use those ciphers anymore.
Note that this might have some effect on older clients trying to use older server-locked profiles or cause issues with importing profiles on some clients. If you don't want that, then stick to TLS 1.2 and investigate implementing a custom cipher suite that removes those ciphers you don't like. As always if you deviate from recommended defaults, you may end up accidentally shooting yourself in the foot. But with care and testing you should be able to achieve the result that you want.
Kind regards,
Johan
OpenVPN Inc.Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
rodrigoechaide
- OpenVpn Newbie
- Posts: 3
- Joined: Mon May 31, 2021 8:33 am
Re: How to disable Openvpn Access Server web server weak ciphers
Hi Johan, perfect! Many thanks for the help and explanation.