How can I change the SSL VPN Control Channel to be TLS 1.2?

I think it's only 1.0!

When using OPENVPN from ex. iPhone, I can set that lowest supported TLS version is either 1.1 or 1.2, it get the message:

"Authentication failed"

"Server TLS version is too low"

When setting it to 1.0 is connects.

Hello All

We have now kept the minimum version set to TLS1.2 on V18 MR1 at the moment we have no plan for 17.5.

Wed Apr 15 15:21:37 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Apr 15 15:21:37 2020 UDPv4 link local: [undef]
Wed Apr 15 15:21:37 2020 UDPv4 link remote: [AF_INET]192.168.50.132:8443
Wed Apr 15 15:21:37 2020 MANAGEMENT: >STATE:1586944297,WAIT,,,,,,
Wed Apr 15 15:21:37 2020 MANAGEMENT: >STATE:1586944297,AUTH,,,,,,
Wed Apr 15 15:21:37 2020 TLS: Initial packet from [AF_INET]192.168.50.132:8443, sid=cc028869 51acbba6
Wed Apr 15 15:21:37 2020 VERIFY X509NAME OK: C=IN, ST=GUJARAT, L=VADODARA, O=Sophos, OU=GES, CN=sc.local, emailAddress=administrator@sc.local
Wed Apr 15 15:21:37 2020 VERIFY OK: depth=0, C=IN, ST=GUJARAT, L=VADODARA, O=Sophos, OU=GES, CN=sc.local, emailAddress=administrator@sc.local
Wed Apr 15 15:21:38 2020 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Apr 15 15:21:38 2020 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Apr 15 15:21:38 2020 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Apr 15 15:21:38 2020 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Apr 15 15:21:38 2020 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Apr 15 15:21:38 2020 [sc.local] Peer Connection Initiated with [AF_INET]192.168.50.132:8443
Wed Apr 15 15:21:39 2020 MANAGEMENT: >STATE:1586944299,GET_CONFIG,,,,,,
Wed Apr 15 15:21:40 2020 SENT CONTROL [sc.local]: 'PUSH_REQUEST' (status=1)
Wed Apr 15 15:21:40 2020 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.81.234.5,ping 45,ping-restart 180,route 192.168.20.0 255.255.255.0,route 192.168.10.0 255.255.255.0,route 192.168.4.0 255.255.255.0,topology subnet,route remote_host 255.255.255.255 net_gateway,inactive 900 7680,ifconfig 10.81.234.6 255.255.255.0'
Wed Apr 15 15:21:40 2020 OPTIONS IMPORT: timers and/or timeouts modified
Wed Apr 15 15:21:40 2020 OPTIONS IMPORT: --ifconfig/up options modified
Wed Apr 15 15:21:40 2020 OPTIONS IMPORT: route options modified
Wed Apr 15 15:21:40 2020 OPTIONS IMPORT: route-related options modified
Wed Apr 15 15:21:40 2020 Preserving previous TUN/TAP instance: Ethernet
Wed Apr 15 15:21:40 2020 Initialization Sequence Completed

Hello ALL, 

Just an update, the fix version V18 Mr1  for this issue was pulled and now pushed to fix on V18.5. 

Hence, the fix will be planned for V18.5

v18.5?

v18 MR-1 just came out, is there any date on when we will see v18.5 EAP, or at least v18 MR-2 and v18 MR-3?

Thanks!

This should be resolved in MR3. https://community.sophos.com/xg-firewall/b/blog/posts/xg-firewall-v18-mr3

Hmmm...

Tue Oct 13 15:21:04 2020 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

Can you verify?

Same thing here on v18 MR3, strange enough on v18 MR2 It has using TLSv1.2.

Tue Oct 13 10:24:47 2020 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

I am sorry, missed the version. The TLS1.2 fix was moved to MR4. (NC-53896) 

Will NC-53896 also bring AES-GCM support ? Or at least we will get a updated version of OpenVPN, currently It's running 2.3.6, which is from 2015...

@LuCar Toni: is this still to come in MR4?

Sat Oct 31 15:49:13 2020 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

Will this actually be available on MR4 ? Or only v18.5 ?

Confirmed I think,

Confirmed I think,