Edit SSL/TLS ciphers in Open VPN AS

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
prashan
OpenVpn Newbie
Posts: 2
Joined: Wed Apr 26, 2023 11:47 am

Edit SSL/TLS ciphers in Open VPN AS

Post by prashan » Wed Apr 26, 2023 11:53 am

Hi Team,

After the vulnerability scan, we got a compliance error saying "SSL/TLS Recommended Cipher Suites (PCI DSS)"
I tried to find a way to edit the Cipher Suites in the VPN AS server, but couldn't find

OS - Ubuntu 18
Open VPN AS - 2.11.1

Tried to edit the Data channel cipher but it failed. It seems editing the Data Channel Cipher is not an option.

Can someone help me here?

I did go through the below documentation as well
https://openvpn.net/vpn-server-resource ... ss-server/

Appreciate your help on this regard

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Edit SSL/TLS ciphers in Open VPN AS

Post by openvpn_inc » Tue May 16, 2023 11:26 am

Hello prashan,

I would first of all like to recommend that you investigate migrating your current Access Server installation data to a new instance running Ubuntu 22.04 LTS. Because Ubuntu 18.04 LTS standard support (there is an extended paid version available) ended April 30th. So no new security updates and also probably no new Access Server releases will be made for it.

Aside from that, this is a common issue. Ciphers are chosen to strike a balance between security and backwards compatibility. Since you're dealing with compliance you will simply have to select ciphers that make that compliance check happy and forget about the backwards compatibility.

The documentation you found and reference in your post are for the encryption of the VPN tunnel, not the web service. You can set a custom cipher suite string for the web service using the instructions found here:

https://openvpn.net/vpn-server-resource ... web-server

The cipher suite string is based on standard OpenSSL naming scheme for ciphers, so you can use documentation from OpenSSL to create a set of cipher suites that are acceptable to your compliance check, and remove all others that you don't want, and then load that cipher suite string into Access Server and restart the Access Server service to apply the change. It should then pass the compliance check.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

prashan
OpenVpn Newbie
Posts: 2
Joined: Wed Apr 26, 2023 11:47 am

Re: Edit SSL/TLS ciphers in Open VPN AS

Post by prashan » Mon Mar 25, 2024 4:43 pm

I was able to edit the ciphers

below is sample

./sacli --key "cs.openssl_ciphersuites" --value 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384' ConfigPut
./sacli start

Post Reply