Page 1 of 1
How to disable Openvpn Access Server web server weak ciphers
Posted: Mon Feb 14, 2022 3:13 pm
by rodrigoechaide
Hello after some internal security scan to my OpenVPN access server it was found that the web server has the following weak ciphers enabled:
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA
I want to know how to disable them.
Regards
Re: How to disable Openvpn Access Server web server weak ciphers
Posted: Mon Feb 14, 2022 3:30 pm
by openvpn_inc
Hello rodrigoechaide,
We try to select a reasonable default for you to strike a balance between stability, compatibility, and security. The definition of weak is always changing in the world of security. Therefore we allow a custom cipher suite string to be specified so you can tailor it to your needs. See this page for details:
https://openvpn.net/vpn-server-resource ... web-server
In this particular case though what you'll probably want to do is go to the Admin UI and go to TLS Settings and configure the web service to allow only TLS 1.3. The test you're running should then not be able to use those ciphers anymore.
Note that this might have some effect on older clients trying to use older server-locked profiles or cause issues with importing profiles on some clients. If you don't want that, then stick to TLS 1.2 and investigate implementing a custom cipher suite that removes those ciphers you don't like. As always if you deviate from recommended defaults, you may end up accidentally shooting yourself in the foot. But with care and testing you should be able to achieve the result that you want.
Kind regards,
Johan
Re: How to disable Openvpn Access Server web server weak ciphers
Posted: Tue Feb 15, 2022 8:14 am
by rodrigoechaide
Hi Johan, perfect! Many thanks for the help and explanation.