This information is currently based on these versions.
Console Server version 4.13.3 (IM7200, ACM7000, CM7100)
NGCS version 23.03.1 (OM2200)
Lighthouse version 22.11.2
Commands are provided to print current details from the Opengear CLI.
Cryptographic applications & libraries
For the purposes of this article, we’re considering programs that provide network services that securely authenticate and encrypt connections to Opengear and/or its managed devices.
Libraries
OpenSSL |
1.0.1u-fips (CS) 1.1.1s (Lighthouse) 3.0.7 (NGCS) |
openssl version |
Applications using OpenSSL
OpenSSH |
7.7p1 (CS) 8.2p1 (Lighthouse) 8.9p1 (NGCS) |
ssh -V |
OpenVPN |
2.4.6 (CS) 2.5.6 (Lighthouse) 2.5.6 (NGCS) |
openvpn --version |
Cherokee Web Server | 1.2.104 | cherokee --version |
Applications not using OpenSSL
Openswan IPsec | U2.6.37 /K | ipsec --version |
Poptop PPTP Server | v1.3.4 | pptpd -v |
Cherokee Web Server
The Cherokee web server implements The Mozilla Foundation’s recommended ciphersuite for intermediate compatibility.
This disables weak encryption elements including null ciphers, SSLv3 and RC4, while maintaining moderate backward compatibility:
https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
The default, self-signed SSL certificate length is 1024 bits.
To view Cherokee’s cipher string, run:
grep ssl_ciphers /etc/config/cherokee/conf.d/https.conf
Although not generally recommended, you may override this cipher string with:
config -s config.https.customciphers='custom_cipher_string' -r ssl
Clear your custom cipher string and return to defaults with:
config -d config.https.customciphers -r ssl
OpenSSH Server (7.7p1 and later)
The SSH server supports SSHv2 only.
For a full list of enabled ciphers, key exchanges algorithms, and hashes (OpenSSH v7.7p1 and later only), run:
sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
These are summarized in the following table:
Protocol | SSHv2 |
Key Exchange |
diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1 diffie-hellman-group1-sha1 |
Authentication |
RSA, ECDSA, ED25519 Public Key Password |
Encryption |
aes128-ctr aes192-ctr aes256-ctr arcfour256 arcfour128 aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc aes256-cbc arcfour rijndael-cbc@lysator.liu.se |
Hash |
hmac-md5 hmac-sha1 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha1-96 hmac-md5-96 |
The automatically generated RSA host key is 4096 bits. The automatically generated ECDSA and ED25519 host keys are 256 bits. These are generated on first boot after a factory reset.
OpenVPN
By default, OpenVPN tunnels are configured to disallow export ciphers, known weak ciphers (e.g. DES), and RSA key exchange (note: not RSA authentication), using the following cipher string:
DEFAULT:!EXP:!LOW:!PSK:!SRP:!kRSA
Otherwise the full range support by OpenSSL is available (see below).
Individual tunnels may set their own cipher string by selecting Custom Configuration and specifying the tls-cipher parameter.
OpenSSL
Although many of these may be disabled by the individual applications above, the underlying OpenSSL supports a variety of protocol versions, ciphers and hashes. For a full list of ciphers, run:
openssl ciphers -v
These are summarized in the following table:
Protocol |
SSLv3 TLSv1.2 TLS1.3 |
Key Exchange |
DH ECDH ECDH/ECDSA ECDH/RSA PSK RSA SRP |
Authentication |
DSS ECDH ECDSA PSK RSA SRP |
Encryption |
3DES(168) AES(128) AES(256) AESGCM(128) AESGCM(256) Camellia(128) Camellia(256) DES(56) RC4(128) SEED(128) |
Hash |
AEAD MD5 SHA1 SHA256 SHA384 |
For more details on OpenSSL cipher support visit:
https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
https://www.openssl.org/docs/man3.0/man1/ciphers.html
Openswan IPsec
For a full list of available ciphers et al., configure an IPsec tunnel then run:
ipsec auto --status
These are summarized in the following table:
Protocol |
IKE ESP NAT-T |
Authentication |
RSA digital signature Shared secret (PSK) x.509 certificates |
Encryption |
DES 3DES AES128 AES192 AES256 |
Hash |
MD5 SHA1 |
Perfect Forward Secrecy |
MODP768 MODP1024 MODP1536 MODP2048 MODP3072 MODP4096 MODP6144 MODP8192 DH22 DH23 DH24 |
Poptop PPTP Server
Note that PPTP is not recommended for high-security applications.
Authentication |
PAP CHAP MSCHAPv2 |
Encryption |
MPPE/RC4 40bit MPPE/RC4 128bit |
Comments
0 comments
Article is closed for comments.