Skip to main content

Tutorial: Harden the Web Server Cipher Suite String

Abstract

Increase Access Server security by hardening the web server cipher suite string. Here's how.

Overview

HTTPS-protected web services must define which encryption ciphers they support. This is a balance of security versus compatibility. The strongest security makes the web interface inaccessible on older platforms. We try to choose a default Access Server setting that supports current operating systems and browsers. You can adjust the cipher suite string for your needs.

Important

The default cipher suite string for Access Server 2.9.1 and newer:

DEFAULT:!MEDIUM:!LOW:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA

The default cipher suite string for Access Server 2.0.14-2.9.0:

DEFAULT:!EXP:!PSK:!SRP:!LOW:!RC4

Step 1: List the current cipher suite string

  1. Connect to your console and get root privileges.

  2. Run the following sacli command:

    cd /usr/local/openvpn_as/scripts/
./sacli ConfigQuery | grep -i "cs.openssl_ciphersuites"

    • The default above applies if nothing shows OR the output displays the cipher suite string you've set.

    Tip

    Run sacli commands from the scripts directory: /usr/local/openvpn_as/scripts/.

Step 2: Set a custom cipher suite string

  • Run the following sacli commands to set a custom string (using your preferred cipher suite string values in place of ours):

    ./sacli --key "cs.openssl_ciphersuites" --value 'DEFAULT:!MEDIUM:!LOW:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA' ConfigPut
./sacli start

Tip

Ensure you use single quotes instead of double quotes around the cipher suite string.

Reset the cipher suite string to default

If you've set the cipher suite string using the commands above, you can delete the configuration key to restore it to the default settings.

  • Run the following sacli commands to delete the configuration key and reset to the default cipher suite string setting:

    ./sacli --key "cs.openssl_ciphersuites" ConfigDel
./sacli start

Optional: Set the cluster configuration key (for versions before 3.0.0 and after 2.9.1)

Important

This step only applies to Access Server cluster setups prior to version 3.0.0, where the cluster API used a dedicated TCP 945 interface.

In these versions, inter-node communication had a separate configuration key for its cipher suite string, ssl_api.openssl_ciphersuites. By default, it inherited the settings from the main web services.

  1. Verify the ciphers your web server supports using the nmap tool:

    nmap --script ssl-enum-ciphers -p 443 vpnserver.yourdomain.com

  2. To manually specify the cluster cipher suite string( for versions before 3.0.0), run the following sacli commands:

    ./sacli --key "ssl_api.openssl_ciphersuites" --value 'DEFAULT:!MEDIUM:!LOW:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA' ConfigPut
./sacli start

⚠️ Starting with Access Server 3.0.0

  • The ssl_api interface (TCP 945) is no longer used.

  • Cluster communication now shares the web service port TCP 943, and uses the same cipher suite settings.

  • The configuration key ssl_api.openssl_ciphersuites has no effect and is ignored.

Additionally, cluster-related sacli commands now require an admin user to authenticate:

  • If your setup doesn't include an openvpn user with admin rights, you must specify a valid admin account when running cluster commands:

    ./sacli --auth_token_user=your_admin_user1 ClusterNodesStatus2

    1

    Ensure the user you specify has administrative rights in Access Server.

    2

    Without including a valid admin account, you'll see an error such as: ERROR: Cannot make API call without auth token...

Reset the cluster cipher suite string to default

If you've set the cluster cipher suite string separately using the commands above, you can delete the configuration key to restore it to the default settings.

  • Run the following sacli commands to delete the configuration key:

    ./sacli --key "ssl_api.openssl_ciphersuites" ConfigDel
In this section:
See also: