Page MenuHomeVyOS Platform
Create Task
Maniphest T4982

Openconnect should have TLS 1.0 and TLS 1.1 disabled by default(?)
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

I beleive that changing "tls-priorities" in /usr/share/vyos/templates/ocserv/ocserv_config.j2 to

tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-ALL:+VERS-TLS1.2"

Should disable all older versions of TLS.
This would increase security and not flag an VyOS server runnint openconnect VPN as insecury by security auditors.

Details

Difficulty level
Unknown (require assessment)
Version
vyos-1.4-rolling
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change
Issue type
Security vulnerability

Event Timeline

klase created this task.Feb 6 2023, 10:52 PM
pasik added a subscriber: pasik.Feb 7 2023, 8:25 AM
Viacheslav added a subscriber: Viacheslav.Feb 7 2023, 9:34 AM

Setting it configurable will be a good solution.
Just like it is done in OpenVPN

vyos@r14# set interfaces openvpn vtun0 tls tls-version-min 
Possible completions:
   1.0                  TLS v1.0
   1.1                  TLS v1.1
   1.2                  TLS v1.2
   1.3                  TLS v1.3
Viacheslav triaged this task as Normal priority.Jan 20 2024, 11:43 AM
dmbaturin added a project: Restricted Project.Feb 15 2024, 1:00 PM
dmbaturin added a subscriber: dmbaturin.

Need to ensure that the default is some still-secure option, then we can close the task.

dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa1); removed VyOS 1.4 Sagitta.Feb 15 2024, 3:04 PM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.4 Sagitta (1.4.0-epa1).Fri, Apr 12, 1:50 PM
Viacheslav edited projects, added VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta (1.4.0-epa3), Restricted Project.Tue, Apr 16, 12:35 PM
Viacheslav changed the subtype of this task from "Bug" to "Feature Request".
Embezzle added a subscriber: Embezzle.Thu, Apr 18, 6:52 AM
Embezzle added a comment.Sun, Apr 28, 8:05 PM

PR: https://github.com/vyos/vyos-1x/pull/3371

syncer assigned this task to Embezzle.Sun, Apr 28, 9:25 PM
syncer added subscribers: c-po, syncer.

@Viacheslav @c-po can you guys review this PR

Embezzle closed this task as Resolved.Wed, May 1, 5:31 PM

Tested as working in: VyOS 1.5-rolling-202405010020

Viacheslav added a project: VyOS 1.4 Sagitta (1.4.0-epa3).Wed, May 1, 5:36 PM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-epa3) board.