OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • TLSv1.2 only
« previous next »
  • Print
Pages: [1]

Author Topic: TLSv1.2 only  (Read 3159 times)

Wayne Train

  • Full Member
  • ***
  • Posts: 194
  • Karma: 12
    • View Profile
TLSv1.2 only
« on: October 09, 2017, 10:16:32 am »
Hi,
is there any possibility to enable TLSv1.2 only on OPNsense ?
If i scan my Box with default crypto-settings it shows :

Quote
BEAST (CVE-2011-3389)                     TLS1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA
                                           VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2

 LUCKY13 (CVE-2013-0169)                   VULNERABLE, uses cipher block chaining (CBC) ciphers

By simply disabling any CBC-cipher, It would be possible to prevent LUCKY13-attacks, but where can I disable TLSv1.0 and TLSv1.1  completely ?

Thanks in advance.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13634
  • Karma: 1174
    • View Profile
Re: TLSv1.2 only
« Reply #1 on: October 09, 2017, 11:26:29 pm »
Hi,

Lighttpd doesn't offer this apparently, all suggestions that can be found describe disabling all ciphers that are not exclusive to TLS 1.2, e.g.:

https://raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html


Cheers,
Franco
Logged

JeGr

  • Hero Member
  • *****
  • Posts: 1825
  • Karma: 208
  • old man standing
    • View Profile
Re: TLSv1.2 only
« Reply #2 on: October 10, 2017, 02:11:28 pm »
Davon abgesehen dass ich mich frage, warum sich ein englisches Topic hierher verirrt ;)

-> Why can you scan your (INTERNAL) WebUI Config Interface from the internet in the first place?! Shouldn't be possible but only from a trusted location.
Logged
"It doesn't work!" is no valid error description! - Don't forget to [applaud] those offering time & brainpower to help you!
Better have some *sense as no(n)sense! ;)

If you're interested in german-speaking business support, feel free to reach out via PM.

mimugmail

  • Hero Member
  • *****
  • Posts: 6293
  • Karma: 432
    • View Profile
Re: TLSv1.2 only
« Reply #3 on: October 10, 2017, 02:52:46 pm »
Who said it was scanned by internet?

There can be internal security audits which customers demand when accessing their networks (like Volkswagen does).
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

Wayne Train

  • Full Member
  • ***
  • Posts: 194
  • Karma: 12
    • View Profile
Re: TLSv1.2 only
« Reply #4 on: October 11, 2017, 09:38:11 am »
Right, I did the scanning from the internal network. And besides that: I think there's nothing wrong with posting in english in an "english forums" section ;-)

Best regards,
Wayne
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13634
  • Karma: 1174
    • View Profile
Re: TLSv1.2 only
« Reply #5 on: October 12, 2017, 08:27:35 pm »
It was in the German section, but when Jens pointed it out it was moved... ;)
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • TLSv1.2 only
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2