This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM - OpenVPN Client - AES-GCM

So far, SSL VPN under the UTM has worked without any problems with the OpenVPN client.
In the meantime, OpenVPN 2.6RC1 has been released, which requires AES-GCM ciphers. Only with a change in the config file the OpenVPN client can still connect.
e.g.
---
data-ciphers AES-128-CBC
data-ciphers-fallback AES-128-CBC
---

It is a pity that the ciphers are not unlocked under SSL VPN.
Under IPSec they are available. So it is probably a purely strategic decision by Sophos not to enable them under SSL VPN.

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 1 year ago

Getting GCM to work in SSLVPN would mean to upgrade the openvpn version, which means to upgrade and test all sub components of this module. It is not a pure apt-get upgrade - it is more likely a huge effort to do this.

SFOS already supports this ciphers and other further upgrade. So maybe a upgrade to SFOS would resolve your need, especially if you are a home user.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 IT-Admin007 over 1 year ago in reply to LuCar Toni

I am not a home user.
We have OpenVPN in use on many clients.
Instead of migrating to SFOS, I'm more likely to switch to another enterprise product.
The excuse of a huge effort does not apply in security products.
It has been known since at least 2019 that the CBC Ciphers is considered vulnerable.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 IT-Admin007 over 1 year ago in reply to LuCar Toni

I am not a home user.
We have OpenVPN in use on many clients.
Instead of migrating to SFOS, I'm more likely to switch to another enterprise product.
The excuse of a huge effort does not apply in security products.
It has been known since at least 2019 that the CBC Ciphers is considered vulnerable.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 LuCar Toni over 1 year ago in reply to IT-Admin007

CBC is vulnerable? You mean this? https://success.qualys.com/discussions/s/question/0D52L00005lbJrVSAU/why-are-cbc-ciphers-considered-weak

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 piddae over 1 year ago in reply to LuCar Toni

I think it is very poor that sophos does not present GCM on openvpn but on ipsec they do. GCM is used almost everywhere instead of cbc. We have vpn routers same age or even older as sophos utm wihich offer GCM and ctr. They are supposed to be faster and more safe as cbc. We think about changing our openssl system.
Cancel
Vote Up 0 Vote Down

Cancel