Community discussions

MikroTik App
 
fataleror
just joined
Topic Author
Posts: 1
Joined: Mon Jul 13, 2015 12:15 pm

Winbox Secure Mode, TLS encryption version

Mon Jul 13, 2015 12:32 pm

Hi everybody,

Could anyone help me by answering which version of TLS protocol MikroTik uses for the encryption in secure mode when using winbox? I have a system which needs to be PCI DSS compliant, and one of the requirements is to encrypt all non-console administrative access (if using TLS protocol it is mandatory to use at least v1.1, preferably v1.2).

I have searched the forum and all over the net but haven't found this information.

Thanks in advance!
 
cokegen
just joined
Posts: 2
Joined: Thu Nov 26, 2015 12:15 am

Re: Winbox Secure Mode, TLS encryption version

Thu Nov 26, 2015 12:30 am

Trying to get certified here too. You can check for SSL or TLS version support with the openssl s_client on Linux or maybe Cygwin if you're on Windows. Type "man s_client" on your Linux to get more information about this.

openssl s_client -connect hostname:port -no_ssl2 -no_ssl3 -no_tls1 -no_tls1_1 -no_tls1_2

You can remove the -no_version you're interested to check, for example:

openssl s_client -connect hostname:port -no_ssl2 -no_ssl3 -no_tls1_1 -no_tls1_2

Will check if the handshake can be done with TLSv1.0.

The ordering for the versions is the following (at least AFAIK):

SSLv1 (never actually released)
SSLv2 (insecure)
SSLv3 (insecure)
TLSv1.0 (accepted, but read below ...)
TLSv1.1 (accepted, but read below ...)
TLSv1.2 (secure)
TLSv1.3 (draft, not released, but of course will be secure)

TLSv1.0 and TLSv1.1 will be accepted it seems until 30 June 2016 (you can go with it now if a "Risk Mitigation and Migration Plan" is in place), date after which you'll need to write a Compensating Control for it and check if the implementation is not broken in your particular case (a mess, IMO).

That being said ...

It would be awesome if someone from Mikrotik can answer if SSL/TLS versions can be enabled/disabled at will, either on the GUI or via CLI.


Carlos
 
sx10
newbie
Posts: 28
Joined: Fri Jan 04, 2013 5:46 am
Location: Portland, OR USA

Re: Winbox Secure Mode, TLS encryption version

Tue Dec 01, 2015 8:38 pm

Also going through PCI 3.1 and getting dinged for TLS 1.0 on mikrotik SSTP.

It looks like the latest ROS versions 6.30+ support TLS 1.2 and have all the necessary mitigations, we just aren't able to disable TLS 1.0.

It seems like they should be able to give us a checkbox for "Force TLS 1.2" just like we have the Force AES box now.
 
sx10
newbie
Posts: 28
Joined: Fri Jan 04, 2013 5:46 am
Location: Portland, OR USA

Re: Winbox Secure Mode, TLS encryption version

Wed Dec 02, 2015 5:17 pm

It does not use any of the above. TLS was used in early versions. Now Winbox Secure mode uses a custom modified and improved RC4-drop3072
My issue is with SSTP, not Winbox. Guess I didn't read the subject line, but TLS 1.0 is still enabled on SSTP server.
 
cokegen
just joined
Posts: 2
Joined: Thu Nov 26, 2015 12:15 am

Re: Winbox Secure Mode, TLS encryption version

Thu Dec 10, 2015 11:18 pm

Issue with certifications like PCI DSS comes from the fact that you need to certify that your system component (an MT router in our case) doesn't allow insecure versions of SSL/TLS, being that over the webfig administration interface (HTTPS) or via winbox. It's **required** to not allow fallback to insecure versions, that is, you should not be able to connect with anything that is NOT secure enough (forced by the device, not the client connecting).

Mikrotik should add or provide a way to control which SSL or TLS mode is accepted in configuration.

Also, not strictly related to this post, but people trying to get certified will also have issues with the SSH daemon, since it doesn't allow the following values to be configured (from the openssh-server daemon running on most Linux machines, IDK what MT runs):

Protocol [1/2]
ChallengeResponseAuthentication [yes/no]
PasswordAuthentication [yes/no]
ClientAliveInterval [number]
ClientAliveCountMax [number]

And also only DSA keys supported ? No RSA keys ? I don't think it should be **that** hard to support these parameters, which a lot of people in enterprise environments will surely appreciate to have.
 
sx10
newbie
Posts: 28
Joined: Fri Jan 04, 2013 5:46 am
Location: Portland, OR USA

Re: Winbox Secure Mode, TLS encryption version

Thu Dec 31, 2015 6:51 pm

For anyone that finds this thread, the TLS 1.0 issue has been fixed in the 6.34 rc builds.
 
User avatar
HiltonT
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Mon Feb 07, 2011 4:24 am
Location: 'Srayamate
Contact:

Re: Winbox Secure Mode, TLS encryption version

Sat Jan 09, 2016 1:58 am

Hhmmm, what about Webfig? I can connect perfectly using https, but when I try https, I get the old "You need to enable crappy, insecure protocols to access this website" message (yes, I enabled www-ssl in ip/service). I get the same issue trying IE11 (Win 10) and Chrome ver 47 - neither of these support the older SSL protocols and it seems Webfig doesn't run TLS 1.x (preferably 1.2).
 
wreidlinger
just joined
Posts: 2
Joined: Mon Jun 29, 2020 5:21 pm

disable TLS 1.0 / TLS 1.1 / weak ciphers

Mon Jun 29, 2020 5:28 pm

I just set up SSL for webfig with a letsencrypt certificate and it's working just fine.
But I also want to harden the SSL / HTTPS service, so I did a vulnerablitiy scan and the results telling me there are some vulnerable / old protocols and ciphers still active.
Is it possible to disable TLS 1.0 / TLS 1.1 or disable specific SSL / HTTPS ciphers?
'Weak' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

'Weak' cipher suites accepted by this service via the TLSv1.1 protocol:

TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

'Weak' cipher suites accepted by this service via the TLSv1.2 protocol:

TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
Thankfull for every help,
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26440
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox Secure Mode, TLS encryption version

Tue Sep 29, 2020 11:43 am

ip service set www-ssl tls-version=only-1.2
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19802
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winbox Secure Mode, TLS encryption version

Tue Sep 29, 2020 4:43 pm

Thanks Normis,
Sounds like it should be a default setting, with an option command to downgrade if necessary (vice the current default to what seems to be an old standard??), but then I know diddly squat about security architectures and standards.
 
za7
just joined
Posts: 19
Joined: Tue Mar 14, 2017 8:59 pm

Re: Winbox Secure Mode, TLS encryption version

Sun Feb 18, 2024 11:41 pm

TLS 1.2 was defined in RFC 5246 in August 2008.
TLS 1.3 was defined in RFC 8446 in August 2018.
Is there a plan to update the TLS version in RouterOS to TLS 1.3?
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Winbox Secure Mode, TLS encryption version

Sun Feb 18, 2024 11:52 pm

We should have TLS1.3 as an option to select when............... YESTERDAY.
I believe that protocol makes perfect forward secrecy mandatory when selected so that will create additional firmware work to implement.
It would be nice if MT actually stated approx when its expected to hit the road map.

Who is online

Users browsing this forum: anav, Bing [Bot], jaclaz, okw, ryba84, svmk and 27 guests