We'd love to hear about it! Click here to go to the product suggestion community
I was looking at the connection logs from the stoplight and noticed that the Control Channel was using TLS 1.0/SSL3.0. Is there a way I can change that to use TLS 1.2? I looked through all the VPN options and I didn't see anything that would allow me to make sure only TLS 1.2 was used...
As far as i know, XG should use TLS1.2 per default.
The log can show something else but the Connection should be TLS1.2.
Check out what the port is offering you with a linux client.
openssl s_client -host XG.DNS -port 443 / Or your SSLVPN Port
In reply to LuCar Toni:
I tested at https://www.ssllabs.com/ssltest and can confirm that TLS 1.2 is used only.
Interesting...I would have expected the log to report a bit more accurately lol......
Thu Sep 13 10:58:17 2018 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Sep 13 10:58:17 2018 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Sep 13 10:58:17 2018 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Sep 13 10:58:17 2018 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Sep 13 10:58:17 2018 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSAopenssl
CONNECTED(00000003)140461058606744:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:---no peer certificate available---No client certificate CA names sent---SSL handshake has read 0 bytes and written 305 bytes---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1536850990 Timeout : 300 (sec) Verify return code: 0 (ok)---
In reply to JohnDoe2:
Take a look at this: https://forums.openvpn.net/viewtopic.php?f=24&t=26778
Maybe open a case with the sophos support.
I think it's only 1.0!
When using OPENVPN from ex. iPhone, I can set that lowest supported TLS version is either 1.1 or 1.2, it get the message:
"Server TLS version is too low"
When setting it to 1.0 is connects.
In reply to twister5800:
We have now kept the minimum version set to TLS1.2 on V18 MR1 at the moment we have no plan for 17.5.
Wed Apr 15 15:21:37 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]Wed Apr 15 15:21:37 2020 UDPv4 link local: [undef]Wed Apr 15 15:21:37 2020 UDPv4 link remote: [AF_INET]192.168.50.132:8443Wed Apr 15 15:21:37 2020 MANAGEMENT: >STATE:1586944297,WAIT,,,,,,Wed Apr 15 15:21:37 2020 MANAGEMENT: >STATE:1586944297,AUTH,,,,,,Wed Apr 15 15:21:37 2020 TLS: Initial packet from [AF_INET]192.168.50.132:8443, sid=cc028869 51acbba6Wed Apr 15 15:21:37 2020 VERIFY X509NAME OK: C=IN, ST=GUJARAT, L=VADODARA, O=Sophos, OU=GES, CN=sc.local, emailAddressfirstname.lastname@example.orgWed Apr 15 15:21:37 2020 VERIFY OK: depth=0, C=IN, ST=GUJARAT, L=VADODARA, O=Sophos, OU=GES, CN=sc.local, emailAddressemail@example.comWed Apr 15 15:21:38 2020 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit keyWed Apr 15 15:21:38 2020 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authenticationWed Apr 15 15:21:38 2020 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit keyWed Apr 15 15:21:38 2020 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authenticationWed Apr 15 15:21:38 2020 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSAWed Apr 15 15:21:38 2020 [sc.local] Peer Connection Initiated with [AF_INET]192.168.50.132:8443Wed Apr 15 15:21:39 2020 MANAGEMENT: >STATE:1586944299,GET_CONFIG,,,,,,Wed Apr 15 15:21:40 2020 SENT CONTROL [sc.local]: 'PUSH_REQUEST' (status=1)Wed Apr 15 15:21:40 2020 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.81.234.5,ping 45,ping-restart 180,route 192.168.20.0 255.255.255.0,route 192.168.10.0 255.255.255.0,route 192.168.4.0 255.255.255.0,topology subnet,route remote_host 255.255.255.255 net_gateway,inactive 900 7680,ifconfig 10.81.234.6 255.255.255.0'Wed Apr 15 15:21:40 2020 OPTIONS IMPORT: timers and/or timeouts modifiedWed Apr 15 15:21:40 2020 OPTIONS IMPORT: --ifconfig/up options modifiedWed Apr 15 15:21:40 2020 OPTIONS IMPORT: route options modifiedWed Apr 15 15:21:40 2020 OPTIONS IMPORT: route-related options modifiedWed Apr 15 15:21:40 2020 Preserving previous TUN/TAP instance: EthernetWed Apr 15 15:21:40 2020 Initialization Sequence Completed
In reply to Aditya Patel:
Thank you Aditya!
Based on your log line there are still some TLSv1/SSLv3 elements. Will those be changed to TLS 1.2 as well? Specifically:Wed Apr 15 15:21:38 2020 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Your log line is also a little mislead compared to your statement because it has TLS 1.2 and TLSv1/SSLv3 being used. Can you clarify that?
That is basically a OpenVPN "cosmic issue".
As XG uses OpenVPN in the version, which still has this reporting "Bug", it is still in the Product.
If you enable a Channel with TLS1.2 only (OpenVPN client for example) and using a current version of TLS1.2, it will be TLS1.2 Only.
Only if you use v18. If you are stuck with v17, you can't use a safe TLS because this feature has not been backported to V17.