How can I change the SSL VPN Control Channel to be TLS 1.2?

Question

I was looking at the connection logs from the stoplight and noticed that the Control Channel was using TLS 1.0/SSL3.0. Is there a way I can change that to use TLS 1.2? I looked through all the VPN options and I didn't see anything that would allow me to make sure only TLS 1.2 was used...

This thread was automatically locked due to age.

LuCar Toni · Answer

I am sorry, missed the version. The TLS1.2 fix was moved to MR4. (NC-53896)

LuCar Toni · Answer

As far as i know, XG should use TLS1.2 per default. 
 
 The log can show something else but the Connection should be TLS1.2. 
 Check out what the port is offering you with a linux client. 
 openssl s_client -host XG.DNS -port 443 / Or your SSLVPN Port

Aditya Patel · Answer

Hello All 
 We have now kept the minimum version set to TLS1.2 on V18 MR1 at the moment we have no plan for 17.5. 
 Wed Apr 15 15:21:37 2020 Socket Buffers: R=[65536->65536] S=[65536->65536] Wed Apr 15 15:21:37 2020 UDPv4 link local: [undef] Wed Apr 15 15:21:37 2020 UDPv4 link remote: [AF_INET]192.168.50.132:8443 Wed Apr 15 15:21:37 2020 MANAGEMENT: >STATE:1586944297,WAIT,,,,,, Wed Apr 15 15:21:37 2020 MANAGEMENT: >STATE:1586944297,AUTH,,,,,, Wed Apr 15 15:21:37 2020 TLS: Initial packet from [AF_INET]192.168.50.132:8443, sid=cc028869 51acbba6 Wed Apr 15 15:21:37 2020 VERIFY X509NAME OK: C=IN, ST=GUJARAT, L=VADODARA, O=Sophos, OU=GES, CN=sc.local, emailAddress=administrator@sc.local Wed Apr 15 15:21:37 2020 VERIFY OK: depth=0, C=IN, ST=GUJARAT, L=VADODARA, O=Sophos, OU=GES, CN=sc.local, emailAddress=administrator@sc.local Wed Apr 15 15:21:38 2020 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Wed Apr 15 15:21:38 2020 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Apr 15 15:21:38 2020 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Wed Apr 15 15:21:38 2020 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication Wed Apr 15 15:21:38 2020 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Wed Apr 15 15:21:38 2020 [sc.local] Peer Connection Initiated with [AF_INET]192.168.50.132:8443 Wed Apr 15 15:21:39 2020 MANAGEMENT: >STATE:1586944299,GET_CONFIG,,,,,, Wed Apr 15 15:21:40 2020 SENT CONTROL [sc.local]: 'PUSH_REQUEST' (status=1) Wed Apr 15 15:21:40 2020 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.81.234.5,ping 45,ping-restart 180,route 192.168.20.0 255.255.255.0,route 192.168.10.0 255.255.255.0,route 192.168.4.0 255.255.255.0,topology subnet,route remote_host 255.255.255.255 net_gateway,inactive 900 7680,ifconfig 10.81.234.6 255.255.255.0' Wed Apr 15 15:21:40 2020 OPTIONS IMPORT: timers and/or timeouts modified Wed Apr 15 15:21:40 2020 OPTIONS IMPORT: --ifconfig/up options modified Wed Apr 15 15:21:40 2020 OPTIONS IMPORT: route options modified Wed Apr 15 15:21:40 2020 OPTIONS IMPORT: route-related options modified Wed Apr 15 15:21:40 2020 Preserving previous TUN/TAP instance: Ethernet Wed Apr 15 15:21:40 2020 Initialization Sequence Completed

LuCar Toni · Answer

That is basically a OpenVPN "cosmic issue". 
 
 https://forums.openvpn.net/viewtopic.php?t=26778 
 As XG uses OpenVPN in the version, which still has this reporting "Bug", it is still in the Product. 
 If you enable a Channel with TLS1.2 only (OpenVPN client for example) and using a current version of TLS1.2, it will be TLS1.2 Only.

Aditya Patel · Answer

Hello ALL, 
 Just an update, the fix version V18 Mr1 for this issue was pulled and now pushed to fix on V18.5. 
 Hence, the fix will be planned for V18.5

How can I change the SSL VPN Control Channel to be TLS 1.2?

Top Replies