I presently use SSTP for site to site VPNs between router boards.
It would be fantastic if MikroTik would consider offering the following in the future:
Support for TLS 1.2.
Granular control of the cipher suites offered on the server.
Support for AES-GCM. This is today the recommended secure cipher suite over RC4 for performance reasons. It offers strong performance benefits over AES-CBC.
Indeed, TLS 1.2 is enabled, but have not find the option for PFS on the webservice for administering the router.
Also, if you look at HMAC, it is SHA1, and again, no option for SHA2
GCM is less of a problem, at least for me.
Best regards.
its only matter of time cuz CWC, OCB was future of ciphers, and even updated/re-worked EAX shows Notably improved scalability.
so far GCM is good for “transition” period and step-up from CCM.
“in general” legacy things, like XTS, CBC and some time after - CCM, perhaps - been phased-out/deprecated eventually.
https://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
so far both CWC and (to some degree)EAX variations - shows best scalability, performance/overhead, security among them, in my opinion.
but suporting some of them - painful. cuz some stuff is hard to backport and some wasn’t really trivial to older kernels At ALL
+1 This would be really helpful if ROS had AES-GCM support as theres a huge performance boot for all. That means lower hardware can achieve higher throughput which likely would be more cost effective.
I was using Windows 10 + Mikrotik SSTP VPN for years and now it is not possible to connect because they don’t have any cipher suite in common after some upgrade.
add the ability to select the encryption mode to the settings: aes-128 cbc, aes-256 cbc, blowfish, twofish, aes-128 ctr, aes-256 ctr, aes-128 gcm, aes-256 gcm and MPPE 128