Specified Encryption Algorithm on Server Not Actually Used

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Nugget
Posts: 2
Joined: Thu Jan 30, 2020 4:06 am

Specified Encryption Algorithm on Server Not Actually Used

Post by Nugget » Mon Feb 03, 2020 11:20 pm

I must be missing something... Despite specifying an encryption algorithm on the server, all client connections are negotiated as TLS_AES_256_GCM_SHA384. I've tried AES128-GCM-SHA256 RC4-SHA ECDHE-RSA-CHACHA20-POLY1305

I'm not using VPN azure. The config file does in fact show the specified encryption algorithm. E.G. string CipherName AES128-GCM-SHA256

The server (4.32 build 9731) log has the following entries:

Code: Select all

[RPC-2544]: A new encryption algorithm name for the server has been set. The new encryption algorithm name is "AES128-GCM-SHA256".

SSL communication for connection "CID-X-XXXXXXXXXX" has been started. The encryption algorithm name is "TLS_AES_256_GCM_SHA384".
The behavior is the same despite restarting the server service. The server and client are Windows 10 1909.

Best I can tell, it doesn't appear anything about the intended cipher gets logged to the client (4.32 build 9731). When I de-select "encrypt vpn session with SSL" on the client that connects without encryption as expected.

It's great that SoftEther can negotiate a really secure cipher like AES_256_GCM, however my use case is on older PCs (one without AES-NI) and when I tested the PCs with OpenVPN server/client AES_256_GCM vs AES_128_GCM the difference was enormous in terms of CPU usage and throughput. The reason I need just a low level of encryption is my ISP throttles my unencrypted traffic.

@cedar ?

cedar
Site Admin
Posts: 2070
Joined: Sat Mar 09, 2013 5:37 am

Re: Specified Encryption Algorithm on Server Not Actually Used

Post by cedar » Wed Feb 05, 2020 10:18 am

I've confirm that the problem reproduces in the environment at hand.
It doesn't happen in 4.30, so I think it's a bug.

Nugget
Posts: 2
Joined: Thu Jan 30, 2020 4:06 am

Re: Specified Encryption Algorithm on Server Not Actually Used

Post by Nugget » Wed Feb 05, 2020 11:21 am

cedar wrote:
Wed Feb 05, 2020 10:18 am
I've confirm that the problem reproduces in the environment at hand.
It doesn't happen in 4.30, so I think it's a bug.
Great to know! Just a heads up to other folks. I tried Ver 4.30, Build 9696 and it wouldn't connect. Version 4.30, Build 9695 works as expected for AES 128. Maybe it was 9696 that inadvertently added the bug.

Also, users should keep in mind the 9596 release notes indicate it fixed a security vulnerability "Added the user buffer address verification code on some I/O control codes of the NDIS 5.x legacy Local Bridge driver to fix SE201901: SoftEther VPN Server NDIS 5.x Windows Local Bridge Driver Local Privilege Escalation Vulnerability. Acknowledgments: This fix is based on a report by DownWithUp."

sky59
Posts: 477
Joined: Tue Sep 11, 2018 5:58 pm

Re: Specified Encryption Algorithm on Server Not Actually Used

Post by sky59 » Wed Feb 05, 2020 5:05 pm

What a bug!?
Protocol is decided by client!

I tested also "none" and it works and also warning about using not crypted connection is issued.

cedar
Site Admin
Posts: 2070
Joined: Sat Mar 09, 2013 5:37 am

Re: Specified Encryption Algorithm on Server Not Actually Used

Post by cedar » Thu Feb 06, 2020 3:52 am

SoftEther VPN is designed to specify cipher on the server side in order to centrally manage users.

Apparently, the use of TLS 1.3 seems to be the cause of the problem.

https://wiki.openssl.org/index.php/TLS1.3

sky59
Posts: 477
Joined: Tue Sep 11, 2018 5:58 pm

Re: Specified Encryption Algorithm on Server Not Actually Used

Post by sky59 » Thu Feb 06, 2020 6:42 am

cedar wrote:
Thu Feb 06, 2020 3:52 am
SoftEther VPN is designed to specify cipher on the server side in order to centrally manage users.

Apparently, the use of TLS 1.3 seems to be the cause of the problem.

https://wiki.openssl.org/index.php/TLS1.3
Last year I was in Thailand. In Europa I had running SE server - let us call it default configuration.
Changing seting only on client side (In Thailand) I managed to communicate (speed reason) with server without any crypting.

How was that possible?

cedar
Site Admin
Posts: 2070
Joined: Sat Mar 09, 2013 5:37 am

Re: Specified Encryption Algorithm on Server Not Actually Used

Post by cedar » Thu Feb 06, 2020 8:42 am

The cipher cannot be changed in the client settings, but encryption can be stopped.

sky59
Posts: 477
Joined: Tue Sep 11, 2018 5:58 pm

Re: Specified Encryption Algorithm on Server Not Actually Used

Post by sky59 » Thu Feb 06, 2020 11:08 am

cedar wrote:
Thu Feb 06, 2020 8:42 am
The cipher cannot be changed in the client settings, but encryption can be stopped.
may be I do not understand difference between "cipher" and "encryption" .... ?

I do not know where, but I found somewhere info that used encryption is decided by client, not by server. Is this true?

cedar
Site Admin
Posts: 2070
Joined: Sat Mar 09, 2013 5:37 am

Re: Specified Encryption Algorithm on Server Not Actually Used

Post by cedar » Thu Feb 06, 2020 11:27 am

Cipher is SSL terminology that specifies a combination of encryption and signature algorithms used for communication.

https://en.wikipedia.org/wiki/Cipher_suite

The server and client negotiate to determine the cipher within the SSL protocol.
In SoftEtherVPN, Cipher set on the server is used with priority.

The problem is that certain versions of SoftEther VPN do not use the specified Cipher.

sky59
Posts: 477
Joined: Tue Sep 11, 2018 5:58 pm

Re: Specified Encryption Algorithm on Server Not Actually Used

Post by sky59 » Thu Feb 06, 2020 2:34 pm

cedar wrote:
Thu Feb 06, 2020 11:27 am
Cipher is SSL terminology that specifies a combination of encryption and signature algorithms used for communication.

https://en.wikipedia.org/wiki/Cipher_suite

The server and client negotiate to determine the cipher within the SSL protocol.
In SoftEtherVPN, Cipher set on the server is used with priority.

The problem is that certain versions of SoftEther VPN do not use the specified Cipher.
I use exclusively only softether-src-v4.25-9656-rtm

Do you know what is the situation with this?

cedar
Site Admin
Posts: 2070
Joined: Sat Mar 09, 2013 5:37 am

Re: Specified Encryption Algorithm on Server Not Actually Used

Post by cedar » Thu Feb 06, 2020 7:59 pm

Since this problem is related to the TLS1.3 specification, it does not occur in 4.25 that does not support TLS1.3.

filamento
Posts: 2
Joined: Wed Feb 17, 2021 9:31 am

Re: Specified Encryption Algorithm on Server Not Actually Used

Post by filamento » Mon Dec 20, 2021 7:01 pm

There's a possible workaround for this problem. I have tested it and it works (at least in Windows)

Edit the config file in the server, and look for this value:

bool Tls_Disable1_3 false

Change it to the following value:

bool Tls_Disable1_3 true

That will disable TLS 1.3, and the selected cipher will work again. You can even select RC4-MD5 if you desire very low cpu usage!!

Regards.

Post Reply