Hardening OpenVPN part of Softether VPN

[shorty1483]

I stumbled across Softether as a long time OpenVPN user and find it really great. It's relatively easy to configure and the technical implementation of the OpenVPN part over localbridge is way faster and better in my opinion as the OpenVPN one using TAP Adapter. So far I love it. So thanks for that @devs.

There are just two thing quite annoying:

OpenVPN Client Log: "Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA"

https://www.ssl.com/how-to/turn-off-ssl ... r-browser/

Since TLS1.0 is outdated and considered unsecure, I propose to update the OpenVPN implementation of TLS1.2 or the implementation in general. Benefit would also be the support of actual cipher suites to harden the OpenVPN server and also the authentication part (support for at least auth SHA256).

https://community.openvpn.net/openvpn/wiki/Hardening


I would really like to see that happening. @Devs give some hint if any updates of the Softether OpenVPN part are planned. If the suggestion above are somehow not possible, please give a short explanation.

Thanks! Really like Softether.

[xortim]

Configuring the cipher suite should apply to all supported protocols where available.

For example, I have set the cipher suite via command line using:
ServerCipherSet DHE-RSA-AES256-SHA

And disabled all SSL by editing the server configuration by hand:
bool AcceptOnlyTls true

I still see the same message in my OpenVPN client logs:
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

I would think that disabling SSL should be applied to the OpenVPN clients as well, but that doesn't appear to be the case.

Additionally adding support for TLSv1.2 and 1.3 would be awesome since the current cipher suites available in SoftEther are no longer recommended for production use.

Edit: Created github issue: https://github.com/SoftEtherVPN/SoftEtherVPN/issues/263