Description: During external security scans or penetration tests (e.g., Qualys or SSL Labs), you may see reports indicating the presence of weak cipher suites (CBC) on your Access Server's web services.
Example:
This guide explains the issue and provides two options for mitigating it:
- Option 1: Enable TLSv1.3 to address the issue without disabling CBC, maintaining compatibility.
- Option 2: Fully disable CBC ciphers if compatibility isn't a concern.
Important: OpenVPN recommends using Option 1 to maintain broader compatibility. Only use Option 2 if required by compliance or specific security policies.
Option 1: Enable TLSv1.3
TLSv1.3 doesn't use CBC ciphers, resolving the issue without disabling CBC entirely. To enable TLSv1.3, ensure your operating system supports OpenSSL 1.1 or newer (e.g., OpenSSL 3).
Operating Systems with OpenSSL 1.1 or newer:
- Ubuntu: 20.04, 22.04, 24.04
- Debian: 11, 12
- RHEL: 8, 9, and RHEL clones (e.g., Rocky Linux, Alma Linux, Oracle Linux)
To enable TLSv1.3:
- Sign in to the Admin Web UI.
- Click Configuration > TLS Settings.
- Enable TLS 1.3 under TLS options for Web Server.
- Click Save Settings and Update Running Server.
Option 2: Disable CBC ciphers
If you need to disable CBC ciphers entirely, follow these steps based on your OpenSSL version.
- Check your OpenSSL version by running the following command:
openssl version
- Example Outputs showing either OpenSSL 1.1 or OpenSSL3:
-
root@openvpn-as-Brandon:~# openssl version
OpenSSL 1.1.1 11 Sep 2018 -
root@openvpn-as-Brandon:~# openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
-
- Example Outputs showing either OpenSSL 1.1 or OpenSSL3:
- Disable CBC Ciphers:
- For OpenSSL 1.1:
sudo su
cd /usr/local/openvpn_as/scripts/
./sacli --key "cs.openssl_ciphersuites" --value 'CHACHA20:AESGCM:!MEDIUM:!LOW:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA' ConfigPut
./sacli start - For OpenSSL 3:
sudo su
cd /usr/local/openvpn_as/scripts/
./sacli --key "cs.openssl_ciphersuites" --value 'DEFAULT:!CBC:!MEDIUM:!LOW:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA' ConfigPut
./sacli start
- For OpenSSL 1.1:
- Verify CBC ciphers are disabled using the
nmap
command to test the cipher suites:- From a remote Linux machine:
nmap --script ssl-enum-ciphers 10.10.10.10
Where10.10.10.10
is the IP of your Access Server. - From the local machine hosting the Access Server:
nmap --script ssl-enum-ciphers localhost
- From a remote Linux machine:
Before disabling CBC Ciphers:
The scan will show CBC ciphers such as TLS_ECHDHE_RSA_WITH_AES_256_CBC_SHA
.
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
After disabling CBC ciphers:
CBC ciphers will no longer appear in the output:
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
Additional Information
For more details refer to the Selecting a custom cipher suite string for the webserver article.
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.