Page MenuHomeVyOS Platform

OpenConnect should have TLS 1.0 and TLS 1.1 disabled by default
Closed, ResolvedPublicFEATURE REQUEST

Description

I beleive that changing "tls-priorities" in /usr/share/vyos/templates/ocserv/ocserv_config.j2 to

tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-ALL:+VERS-TLS1.2"

Should disable all older versions of TLS.
This would increase security and not flag an VyOS server runnint openconnect VPN as insecury by security auditors.

Details

Version
vyos-1.4-rolling
Is it a breaking change?
Behavior change
Issue type
Security vulnerability

Event Timeline

Setting it configurable will be a good solution.
Just like it is done in OpenVPN

vyos@r14# set interfaces openvpn vtun0 tls tls-version-min 
Possible completions:
   1.0                  TLS v1.0
   1.1                  TLS v1.1
   1.2                  TLS v1.2
   1.3                  TLS v1.3
dmbaturin subscribed.

Need to ensure that the default is some still-secure option, then we can close the task.

Viacheslav changed the subtype of this task from "Bug" to "Feature Request".
syncer added subscribers: c-po, syncer.

@Viacheslav @c-po can you guys review this PR

Tested as working in: VyOS 1.5-rolling-202405010020

dmbaturin renamed this task from Openconnect should have TLS 1.0 and TLS 1.1 disabled by default(?) to OpenConnect should have TLS 1.0 and TLS 1.1 disabled by default.May 11 2024, 8:00 PM
dmbaturin removed a project: VyOS 1.5 Circinus.