Disable Weak Ciphers such as RC4-MD5
-
- Posts: 1
- Joined: Fri Feb 22, 2019 8:28 am
Disable Weak Ciphers such as RC4-MD5
How can I force the client and softether vpn server to use AES encryption only? When I created the ovpn file using SoftEther VPN Server Manager, I used AES encryption as encryption algorithm and installed it at client side. But I believe server is not accepting it- it is looking for RC4-MD5. How can I fix it?
-
- Site Admin
- Posts: 2266
- Joined: Sat Mar 09, 2013 5:37 am
Re: Disable Weak Ciphers such as RC4-MD5
I think SoftEther VPN Server can accept OpenVPN connection with AES encoding.
What error did you see?
What error did you see?
-
- Posts: 4
- Joined: Tue Jan 08, 2019 3:34 pm
Re: Disable Weak Ciphers such as RC4-MD5
I'm still having this issue. I can't get RC4-MD5 disabled:
https://github.com/SoftEtherVPN/SoftEtherVPN/pull/343
https://github.com/SoftEtherVPN/SoftEtherVPN/pull/343
-
- Posts: 65
- Joined: Thu Sep 19, 2019 7:18 pm
Re: Disable Weak Ciphers such as RC4-MD5
I have the same issue.
A Mikrotik client connecting to a SE server always reverts to the weak RC4 cipher, although both support much higher ones like various forms of AES256...
But apparently, RC4 is all both nodes can agree upon during the initial handshake.
Until today, found no way of enforcing a higher cipher. Nor got any hint of how to do this on this forum or by someone of SE.
...Still hoping though...
A Mikrotik client connecting to a SE server always reverts to the weak RC4 cipher, although both support much higher ones like various forms of AES256...
But apparently, RC4 is all both nodes can agree upon during the initial handshake.
Until today, found no way of enforcing a higher cipher. Nor got any hint of how to do this on this forum or by someone of SE.
...Still hoping though...
-
- Posts: 1
- Joined: Sun Dec 23, 2018 11:53 am
Re: Disable Weak Ciphers such as RC4-MD5
Hi.
I have the same issue. I see it happens only when it connects through the VPNAzure relay network. Connecting directly through NAT utilizes the server selected cipher AES256-GCM-SHA384.
I am not sure if this has do to with network speed, that maybe forces Softether to use weaker (and faster) cipher on slow networks (using the VPNAzure relay), or if it has to do with the VPNAzure network itself.
Anyone knows why this behavior?
Anyone may point around the right direction?
Thks.
I have the same issue. I see it happens only when it connects through the VPNAzure relay network. Connecting directly through NAT utilizes the server selected cipher AES256-GCM-SHA384.
I am not sure if this has do to with network speed, that maybe forces Softether to use weaker (and faster) cipher on slow networks (using the VPNAzure relay), or if it has to do with the VPNAzure network itself.
Anyone knows why this behavior?
Anyone may point around the right direction?
Thks.
-
- Posts: 4
- Joined: Mon Mar 08, 2021 12:32 pm
Re: Disable Weak Ciphers such as RC4-MD5
Hi Cummunity
I also run a server it Softether VPN. In the course of various security tests I noticed that the system allows connections with RC4.
I have counterchecked this with Test SSL Server, and the following list comes out.
Do I have any possibility to deactivate RC4 ?
TLSv1.2:
server selection: uses client preferences
3-- (key: RSA) RSA_WITH_RC4_128_MD5
3-- (key: RSA) RSA_WITH_RC4_128_SHA
3-- (key: RSA) RSA_WITH_3DES_EDE_CBC_SHA
3-- (key: RSA) RSA_WITH_AES_128_CBC_SHA
3f- (key: RSA) DHE_RSA_WITH_AES_128_CBC_SHA
3-- (key: RSA) RSA_WITH_AES_256_CBC_SHA
3f- (key: RSA) DHE_RSA_WITH_AES_256_CBC_SHA
3-- (key: RSA) RSA_WITH_AES_128_CBC_SHA256
3f- (key: RSA) DHE_RSA_WITH_AES_256_CBC_SHA256
3-- (key: RSA) RSA_WITH_AES_128_GCM_SHA256
3-- (key: RSA) RSA_WITH_AES_256_GCM_SHA384
Best Regards
Alex
I also run a server it Softether VPN. In the course of various security tests I noticed that the system allows connections with RC4.
I have counterchecked this with Test SSL Server, and the following list comes out.
Do I have any possibility to deactivate RC4 ?
TLSv1.2:
server selection: uses client preferences
3-- (key: RSA) RSA_WITH_RC4_128_MD5
3-- (key: RSA) RSA_WITH_RC4_128_SHA
3-- (key: RSA) RSA_WITH_3DES_EDE_CBC_SHA
3-- (key: RSA) RSA_WITH_AES_128_CBC_SHA
3f- (key: RSA) DHE_RSA_WITH_AES_128_CBC_SHA
3-- (key: RSA) RSA_WITH_AES_256_CBC_SHA
3f- (key: RSA) DHE_RSA_WITH_AES_256_CBC_SHA
3-- (key: RSA) RSA_WITH_AES_128_CBC_SHA256
3f- (key: RSA) DHE_RSA_WITH_AES_256_CBC_SHA256
3-- (key: RSA) RSA_WITH_AES_128_GCM_SHA256
3-- (key: RSA) RSA_WITH_AES_256_GCM_SHA384
Best Regards
Alex
-
- Posts: 286
- Joined: Wed Nov 25, 2020 9:10 am
Re: Disable Weak Ciphers such as RC4-MD5
The cipher list is hardcoded into the source code (Mayaqua/Network.c). You can change and build yourself.
Below is my modification based on Build 9745 for your reference.
Original version:
My version (to build with OpenSSL 1.1.x so the second list will be in effect):
Below is my modification based on Build 9745 for your reference.
Original version:
Code: Select all
static char *cipher_list = "RC4-MD5 RC4-SHA AES128-SHA AES256-SHA DES-CBC-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES256-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384"
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
" DHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305";
#endif
;
Code: Select all
#if OPENSSL_VERSION_NUMBER < 0x10100000L
static char *cipher_list = "RC4-MD5 RC4-SHA AES128-SHA AES256-SHA DES-CBC-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES256-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384";
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
static char *cipher_list = "ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA256";
#endif
-
- Posts: 4
- Joined: Mon Mar 08, 2021 12:32 pm
Re: Disable Weak Ciphers such as RC4-MD5
Hi and thanks for your Answer !
Since I still have an OpenSSL 1.0.2k-fips on the system, I simply changed the code as follows, so that the old RC4 ciphers are out.
The whole thing could be compiled and started and looks good at first sight.
Speaks from your point of view something against this solution ?
I would not like to update OpenSSL (Centos 7 system).
Regards
Alex
Since I still have an OpenSSL 1.0.2k-fips on the system, I simply changed the code as follows, so that the old RC4 ciphers are out.
The whole thing could be compiled and started and looks good at first sight.
Speaks from your point of view something against this solution ?
I would not like to update OpenSSL (Centos 7 system).
Regards
Alex
Code: Select all
static char *cipher_list = "ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA256"
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
" DHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305";
#endif
;
-
- Posts: 286
- Joined: Wed Nov 25, 2020 9:10 am
Re: Disable Weak Ciphers such as RC4-MD5
OK it makes sense if you would like to stick to 1.0.x. And you can drop the two CHACHA20 ciphers in the first line too as they are not supported in 1.0.x.AlexR wrote: ↑Mon Mar 08, 2021 5:49 pmCode: Select all
static char *cipher_list = "ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA256" #if OPENSSL_VERSION_NUMBER >= 0x10100000L " DHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305"; #endif ;
-
- Posts: 4
- Joined: Tue Jan 08, 2019 3:34 pm
Re: Disable Weak Ciphers such as RC4-MD5
Any updates to this? I'm still seeing weak ciphers in Version 4.41 Build 9787 (English)
Nessus reports:
SSL RC4 Cipher Suites Supported (Bar Mitzvah)
ServerCipherGet command - Get the Encrypted Algorithm Used for VPN Communication.
Encrypted Algorithm Currently Used by VPN Server:
DHE-RSA-AES128-GCM-SHA256
But when scanned it still shows RC4 as supported.
Nessus reports:
SSL RC4 Cipher Suites Supported (Bar Mitzvah)
ServerCipherGet command - Get the Encrypted Algorithm Used for VPN Communication.
Encrypted Algorithm Currently Used by VPN Server:
DHE-RSA-AES128-GCM-SHA256
But when scanned it still shows RC4 as supported.