For me, the most useful mode of operation is to use SoftEther's HTTPS interface on TCP port 443 since it will cut through the most restrictive firewalls. However, using ssllabs.com server testing tools, I found that SoftEther uses insecure methods. Specifically, the RC4 cipher and TLS modes below TLS1.2, i.e., TLS1.0 and TLS1.1.
In the next SoftEther release, please eliminate the use of RC4, TLS1.0 and TLS1.1.
HTTPS Security
-
solo
- Posts: 1826
- Joined: Sun Feb 14, 2021 10:31 am
Re: HTTPS Security
You got all these options ten years ago FFS.SoftEther VPN 4.22 Build 9634 Beta (November 27, 2016)
Added the support for TLS 1.2. Added TLS 1.2-based cipher sets: AES128-GCM-SHA256, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-GCM-SHA384 and ECDHE-RSA-AES256-SHA384.
Added the function to allow to configure specific TLS versions to accept / deny. In the VPN Server configuration file you can set Tls_Disable1_0, Tls_Disable1_1 and Tls_Disable1_2 flags to true to disable these TLS versions individually.
RC4 will not be "eliminated", it's easy on CPU and not forced on you.