This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cipher Suite with VPN SSL

Hi,

Quick question does the Sophos UTM 9.2 support the block cipher AES-GCM when using the VPN SSL Client. It is a compliance issue that the client negotiates using AES-GCM using TLS 1.2

If not, do we know if it is likely to be in a future release.

The admin console supports AES128GCM, but I cannot get the clients to use this using SSL VPN.

Thanks.

This thread was automatically locked due to age.

Parents

0 Scott_Klassen over 10 years ago

supported cipher suite has changed in 9.3 for ssl vpn connections
Same choices as 9.2.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 HamburgerJung over 6 years ago in reply to Scott_Klassen

Hello did someone know why AES-<128-256>-GCM is not supported???

is it not save or what are the reasons??? hmmmm ;/

regards
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 6 years ago in reply to HamburgerJung

Naja, mein Freund aus Hamburg...

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 6 years ago in reply to HamburgerJung

Naja, mein Freund aus Hamburg...

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 HamburgerJung over 6 years ago in reply to BAlfson

Hello my friend ;-)

Thank you, I need it for OpenVPN Site2Site for testing

I use a VPN provider (Converted the provided *.ovpn) to UTM compatible.

Works all fine with MASQ over tun(commandline) and Policy based Routing for specified Sites.

But would get more performance , and because of that i would test GCM ;-)

Set it to GCM over Restapi is not possible and if set in the config-default in chroot-openvpn/etc/openvpn/client/ it cant connect because of OpenSSL errors.

Regards
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 6 years ago in reply to HamburgerJung

Ah, I didn't read closely enough - SSL VPN, not IPsec!

I thought that Sophos modified the current code a couple years ago for the SSL VPN so that it would take advantage of AES-NI, but I just did a search in the and don't see that it was. I think you can't change the setting because it's an issue of the code for that has not been added.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Cressor over 5 years ago in reply to BAlfson

Since CBC is becmoing more and more insecure, see https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities for example, i would STRONGLY suggest pushing support for GCM ASAP.

The other provided ciphers are also crap (sorry but thats About it).

The openssl and openvpn Version should support GCM without any Problems so the implentation should be done in 5 minutes..

regards
Cancel
Vote Up 0 Vote Down

Cancel