Since 5.13, a change made will default ros sstp to rc4 unless the client doesn’t advertise rc4. In a pcap of a handshake between ros and ros. The client advertises 4 ciphers. Including aes256. The server responds back that it only supports rc4. I’d say we NEED an option on client and server side to restrict and prioritize ciphers. Like the openvpn setup.
Anyone else agree?
This was done due to security risk http://www.kb.cert.org/vuls/id/864643
Microsoft implemented update (KB2585542) for Windows which always uses RC4 due to this issue, and we made RouterOS fix to comply with Windows devices.
We cant make use of TLS 1.1?
Windows doesn’t support it.
We could make it an option in some future release.
Thatd be optimal… AES would be much preferred over RC4. Just because Windows is fine with a mid-grade security doesnt mean ROS-ROS communication has to be stuck with it.. Right?
I agree