Page 1 of 1

SSTP: AES-GCM support, granular control of cipher suites.

Posted: Thu Dec 26, 2013 5:14 pm
by nicklowe
I presently use SSTP for site to site VPNs between router boards.

It would be fantastic if MikroTik would consider offering the following in the future:

1) Support for TLS 1.2.
2) Granular control of the cipher suites offered on the server.
3) Support for AES-GCM. This is today the recommended secure cipher suite over RC4 for performance reasons. It offers strong performance benefits over AES-CBC.

Seasons regards to all! :)

Thanks,

Nick

Re: SSTP: AES-GCM support, granular control of cipher suites.

Posted: Tue Nov 24, 2015 4:26 pm
by iustinn
I presently use SSTP for site to site VPNs between router boards.

It would be fantastic if MikroTik would consider offering the following in the future:

1) Support for TLS 1.2.
2) Granular control of the cipher suites offered on the server.
3) Support for AES-GCM. This is today the recommended secure cipher suite over RC4 for performance reasons. It offers strong performance benefits over AES-CBC.

Seasons regards to all! :)

Thanks,

Nick
2years later, same situation. Mikrotik please update!!!
Screen Shot 2015-11-24 at 16.21.53.jpg

Re: SSTP: AES-GCM support, granular control of cipher suites.

Posted: Tue Nov 24, 2015 4:47 pm
by mrz
TLS 1.2 is already supported and PFS already can be enabled.
Currently only GCM is not possible but might be added in the future.

Re: SSTP: AES-GCM support, granular control of cipher suites.

Posted: Wed Nov 25, 2015 7:29 pm
by iustinn
TLS 1.2 is already supported and PFS already can be enabled.
Currently only GCM is not possible but might be added in the future.
Indeed, TLS 1.2 is enabled, but have not find the option for PFS on the webservice for administering the router.
Also, if you look at HMAC, it is SHA1, and again, no option for SHA2

GCM is less of a problem, at least for me.
Best regards.

Re: SSTP: AES-GCM support, granular control of cipher suites.

Posted: Sun Dec 27, 2015 1:39 pm
by Zorro
its only matter of time cuz CWC, OCB was future of ciphers, and even updated/re-worked EAX shows Notably improved scalability.
so far GCM is good for "transition" period and step-up from CCM.
"in general" legacy things, like XTS, CBC and some time after - CCM, perhaps - been phased-out/deprecated eventually.

https://en.wikipedia.org/wiki/Block_cip ... _operation
so far both CWC and (to some degree)EAX variations - shows best scalability, performance/overhead, security among them, in my opinion.
but suporting some of them - painful. cuz some stuff is hard to backport and some wasn't really trivial to older kernels At ALL :(

Re: SSTP: AES-GCM support, granular control of cipher suites.

Posted: Mon Feb 01, 2016 11:30 pm
by iustinn
Any update on the PFS/sha1 issue ? ...

Re: SSTP: AES-GCM support, granular control of cipher suites.

Posted: Sun Jun 04, 2017 1:29 am
by majestic
+1 This would be really helpful if ROS had AES-GCM support as theres a huge performance boot for all. That means lower hardware can achieve higher throughput which likely would be more cost effective.

Re: SSTP: AES-GCM support, granular control of cipher suites.

Posted: Thu Jan 10, 2019 9:44 am
by kolyk
Are there any plans for upgrading cipher suites?

I was using Windows 10 + Mikrotik SSTP VPN for years and now it is not possible to connect because they don't have any cipher suite in common after some upgrade.

Re: SSTP: AES-GCM support, granular control of cipher suites.

Posted: Sat Jan 26, 2019 6:23 pm
by Anastasia
add the ability to select the encryption mode to the settings: aes-128 cbc, aes-256 cbc, blowfish, twofish, aes-128 ctr, aes-256 ctr, aes-128 gcm, aes-256 gcm and MPPE 128