TLSv1.2 only

[Wayne Train]

Hi,
is there any possibility to enable TLSv1.2 only on OPNsense ?
If i scan my Box with default crypto-settings it shows :

BEAST (CVE-2011-3389)                     TLS1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA
                                           VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2

LUCKY13 (CVE-2013-0169)                   VULNERABLE, uses cipher block chaining (CBC) ciphers

By simply disabling any CBC-cipher, It would be possible to prevent LUCKY13-attacks, but where can I disable TLSv1.0 and TLSv1.1  completely ?

Thanks in advance.

[franco]

Hi,

Lighttpd doesn't offer this apparently, all suggestions that can be found describe disabling all ciphers that are not exclusive to TLS 1.2, e.g.:

https://raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html


Cheers,
Franco

[JeGr]

Davon abgesehen dass ich mich frage, warum sich ein englisches Topic hierher verirrt ;)

-> Why can you scan your (INTERNAL) WebUI Config Interface from the internet in the first place?! Shouldn't be possible but only from a trusted location.

[mimugmail]

Who said it was scanned by internet?

There can be internal security audits which customers demand when accessing their networks (like Volkswagen does).

[Wayne Train]

Right, I did the scanning from the internal network. And besides that: I think there's nothing wrong with posting in english in an "english forums" section ;-)

Best regards,
Wayne

[franco]

It was in the German section, but when Jens pointed it out it was moved... ;)