How can I change the SSL VPN Control Channel to be TLS 1.2?

I was looking at the connection logs from the stoplight and noticed that the Control Channel was using TLS 1.0/SSL3.0. Is there a way I can change that to use TLS 1.2? I looked through all the VPN options and I didn't see anything that would allow me to make sure only TLS 1.2 was used...

  • As far as i know, XG should use TLS1.2 per default.

     

    The log can show something else but the Connection should be TLS1.2. 

    Check out what the port is offering you with a linux client.

    openssl s_client -host XG.DNS -port 443     / Or your SSLVPN Port

     

  • In reply to LuCar Toni:

    I tested at https://www.ssllabs.com/ssltest and can confirm that TLS 1.2 is used only.

     

  • In reply to LuCar Toni:

    Interesting...I would have expected the log to report a bit more accurately lol......

     

    Log:

    Thu Sep 13 10:58:17 2018 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

    Thu Sep 13 10:58:17 2018 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication

    Thu Sep 13 10:58:17 2018 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

    Thu Sep 13 10:58:17 2018 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication

    Thu Sep 13 10:58:17 2018 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

    openssl

    CONNECTED(00000003)
    140461058606744:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 305 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1536850990
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---

  • In reply to JohnDoe2:

    Take a look at this: https://forums.openvpn.net/viewtopic.php?f=24&t=26778

    Maybe open a case with the sophos support. 

  • I think it's only 1.0!

    When using OPENVPN from ex. iPhone, I can set that lowest supported TLS version is either 1.1 or 1.2, it get the message:

     

    "Authentication failed"

    "Server TLS version is too low"

     

    When setting it to 1.0 is connects.

  • In reply to twister5800:

    Hello All

    We have now kept the minimum version set to TLS1.2 on V18 MR1 at the moment we have no plan for 17.5.

    Wed Apr 15 15:21:37 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Wed Apr 15 15:21:37 2020 UDPv4 link local: [undef]
    Wed Apr 15 15:21:37 2020 UDPv4 link remote: [AF_INET]192.168.50.132:8443
    Wed Apr 15 15:21:37 2020 MANAGEMENT: >STATE:1586944297,WAIT,,,,,,
    Wed Apr 15 15:21:37 2020 MANAGEMENT: >STATE:1586944297,AUTH,,,,,,
    Wed Apr 15 15:21:37 2020 TLS: Initial packet from [AF_INET]192.168.50.132:8443, sid=cc028869 51acbba6
    Wed Apr 15 15:21:37 2020 VERIFY X509NAME OK: C=IN, ST=GUJARAT, L=VADODARA, O=Sophos, OU=GES, CN=sc.local, emailAddress=administrator@sc.local
    Wed Apr 15 15:21:37 2020 VERIFY OK: depth=0, C=IN, ST=GUJARAT, L=VADODARA, O=Sophos, OU=GES, CN=sc.local, emailAddress=administrator@sc.local
    Wed Apr 15 15:21:38 2020 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Wed Apr 15 15:21:38 2020 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Wed Apr 15 15:21:38 2020 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Wed Apr 15 15:21:38 2020 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Wed Apr 15 15:21:38 2020 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Wed Apr 15 15:21:38 2020 [sc.local] Peer Connection Initiated with [AF_INET]192.168.50.132:8443
    Wed Apr 15 15:21:39 2020 MANAGEMENT: >STATE:1586944299,GET_CONFIG,,,,,,
    Wed Apr 15 15:21:40 2020 SENT CONTROL [sc.local]: 'PUSH_REQUEST' (status=1)
    Wed Apr 15 15:21:40 2020 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.81.234.5,ping 45,ping-restart 180,route 192.168.20.0 255.255.255.0,route 192.168.10.0 255.255.255.0,route 192.168.4.0 255.255.255.0,topology subnet,route remote_host 255.255.255.255 net_gateway,inactive 900 7680,ifconfig 10.81.234.6 255.255.255.0'
    Wed Apr 15 15:21:40 2020 OPTIONS IMPORT: timers and/or timeouts modified
    Wed Apr 15 15:21:40 2020 OPTIONS IMPORT: --ifconfig/up options modified
    Wed Apr 15 15:21:40 2020 OPTIONS IMPORT: route options modified
    Wed Apr 15 15:21:40 2020 OPTIONS IMPORT: route-related options modified
    Wed Apr 15 15:21:40 2020 Preserving previous TUN/TAP instance: Ethernet
    Wed Apr 15 15:21:40 2020 Initialization Sequence Completed

  • In reply to Aditya Patel:

    Thank you Aditya!

    Based on your log line there are still some TLSv1/SSLv3 elements. Will those be changed to TLS 1.2 as well? Specifically:

    Wed Apr 15 15:21:38 2020 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key

    Your log line is also a little mislead compared to your statement because it has TLS 1.2 and TLSv1/SSLv3 being used. Can you clarify that?

  • In reply to JohnDoe2:

    That is basically a OpenVPN "cosmic issue". 

     

    https://forums.openvpn.net/viewtopic.php?t=26778


    As XG uses OpenVPN in the version, which still has this reporting "Bug", it is still in the Product. 

    If you enable a Channel with TLS1.2 only (OpenVPN client for example) and using a current version of TLS1.2, it will be TLS1.2 Only. 

  • In reply to LuCar Toni:

    Only if you use v18. If you are stuck with v17, you can't use a safe TLS because this feature has not been backported to V17.