Community discussions

MikroTik App
 
drs
just joined
Topic Author
Posts: 1
Joined: Wed Sep 08, 2021 11:48 am

Feature request: updated TLS ciphers for SSTP

Wed Sep 08, 2021 12:25 pm

I've setup the SSTP server as below, but the strongest cipher suite that's offered is TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014). That's concerning because both CBC mode and the SHA1 hash are widely regarded as insufficiently secure today. The SSTP client on my Windows 10 PC supports cipher suites with GCM as well as SHA256 and 384 (e.g. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)) so clients would be able to use them, if only RouterOS supported them.

Thanks.
/interface sstp-server server
set authentication=mschap2 certificate=XXX default-profile=vpn enabled=yes \
    force-aes=yes pfs=yes tls-version=only-1.2
 
User avatar
alasdaircs
just joined
Posts: 5
Joined: Mon Nov 09, 2015 3:04 pm
Location: Exmouth, UK
Contact:

Re: Feature request: updated TLS ciphers for SSTP

Tue Dec 07, 2021 9:30 am

I'll second this. I just span up a stock Windows Server 2022 image on Azure and tried to connect it to an RB 3011 running RouterOS 6.49.2, and it failed to connect because it only supports cipher suites known to be secure out of the box, and _CBC_SHA does not meet that requirement. The error message was typically unhelpful too. I had to manually enable a less secure compatible cipher suite to get any connection at all.

I think the Azure image must be security hardened compared to regular Windows Server 2022 (see https://docs.microsoft.com/en-us/window ... erver-2022) so not a problem for most people.

Who is online

Users browsing this forum: Ahrefs [Bot], GoogleOther [Bot], johnson73, mbovenka, rplant and 91 guests