OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: Wayne Train on October 09, 2017, 10:16:32 am
-
Hi,
is there any possibility to enable TLSv1.2 only on OPNsense ?
If i scan my Box with default crypto-settings it shows :
BEAST (CVE-2011-3389) TLS1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA
VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
LUCKY13 (CVE-2013-0169) VULNERABLE, uses cipher block chaining (CBC) ciphers
By simply disabling any CBC-cipher, It would be possible to prevent LUCKY13-attacks, but where can I disable TLSv1.0 and TLSv1.1 completely ?
Thanks in advance.
-
Hi,
Lighttpd doesn't offer this apparently, all suggestions that can be found describe disabling all ciphers that are not exclusive to TLS 1.2, e.g.:
https://raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html
Cheers,
Franco
-
Davon abgesehen dass ich mich frage, warum sich ein englisches Topic hierher verirrt ;)
-> Why can you scan your (INTERNAL) WebUI Config Interface from the internet in the first place?! Shouldn't be possible but only from a trusted location.
-
Who said it was scanned by internet?
There can be internal security audits which customers demand when accessing their networks (like Volkswagen does).
-
Right, I did the scanning from the internal network. And besides that: I think there's nothing wrong with posting in english in an "english forums" section ;-)
Best regards,
Wayne
-
It was in the German section, but when Jens pointed it out it was moved... ;)