Skip to main content

Tutorial: Harden the Web Server Cipher Suite String

Abstract

Increase Access Server security by hardening the web server cipher suite string. Here's how.

Overview

HTTPS-protected web services must define which encryption ciphers they support. This is a balance of security versus compatibility. The strongest security makes the web interface inaccessible on older platforms. We try to choose a default Access Server setting that supports current operating systems and browsers. You can adjust the cipher suite string for your needs.

Important

The default cipher suite string for Access Server 2.9.1 and newer:

DEFAULT:!MEDIUM:!LOW:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA

The default cipher suite string for Access Server 2.0.14-2.9.0:

DEFAULT:!EXP:!PSK:!SRP:!LOW:!RC4

  1. Connect to your console with root privileges.

  2. Run the following sacli command:

    cd /usr/local/openvpn_as/scripts/
    ./sacli ConfigQuery | grep -i "cs.openssl_ciphersuites"
    • The default above applies if nothing shows OR the output displays the cipher suite string you've set.

    Tip

    Run sacli commands from the scripts directory: /usr/local/openvpn_as/scripts/.

  • Run the following sacli commands to set a custom string (using your preferred cipher suite string values in place of ours):

    ./sacli --key "cs.openssl_ciphersuites" --value 'DEFAULT:!MEDIUM:!LOW:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA' ConfigPut
    ./sacli start

Tip

Ensure you use single quotes instead of double quotes around the cipher suite string.

If you've set the cipher suite string using the commands above, you can delete the configuration key to restore it to the default settings.

  • Run the following sacli commands to delete the configuration key and reset to the default cipher suite string setting:

    ./sacli --key "cs.openssl_ciphersuites" ConfigDel
    ./sacli start

Important

This is a step for an Access Server cluster setup where you have two or more Access Servers with the same database backend providing your VPN server connections.

As of Access Server 2.9.1, the cluster API port on TCP 945 for inter-node communication has a separate configuration key for the cipher suite string. By default, it inherits the settings from the main web services.

  1. Verify the ciphers your web server supports using the nmap tool:

    nmap --script ssl-enum-ciphers -p 443 vpnserver.yourdomain.com
  2. To specify the cluster cipher suite string separately, run the following sacli commands:

    ./sacli --key "ssl_api.openssl_ciphersuites" --value 'DEFAULT:!MEDIUM:!LOW:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA' ConfigPut
    ./sacli start

If you've set the cluster cipher suite string separately using the commands above, you can delete the configuration key to restore it to the default settings.

  • Run the following sacli commands to delete the configuration key:

    ./sacli --key "ssl_api.openssl_ciphersuites" ConfigDel