This information is current based on these versions.
Console Server version 4.6.0 (IM7200, ACM7000, CM7100)
NGCS version 20.Q2.0 (OM2200)
Lighthouse version 5.3
Commands are provided to print current details from the Opengear CLI.
Cryptographic applications & libraries
For the purposes of this article, we’re considering programs that provide network services that securely authenticate and encrypt connections to the Opengear and/or its managed devices.
Libraries
OpenSSL |
1.0.1u-fips (CS) 1.0.2p (Lighthouse) 1.0.2p (NGCS) |
openssl version |
Applications using OpenSSL
OpenSSH |
7.7p1 (CS) 7.7p1 (Lighthouse) 7.7p1 (NGCS) |
ssh -V |
OpenVPN |
2.4.6 (CS) 2.4.4 (Lighthouse) 2.4.4 (NGCS) |
openvpn --version |
Cherokee Web Server |
1.2.101 |
cherokee --version |
Applications not using OpenSSL
Openswan IPsec |
U2.6.37 /K |
ipsec --version |
Poptop PPTP Server |
v1.3.4 |
pptpd -v |
Cherokee Web Server
The Cherokee web server implements The Mozilla Foundation’s recommended ciphersuite for intermediate compatibility.
This disables weak encryption elements including null ciphers, SSLv3 and RC4, while maintaining moderate backwards compatibility:
https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
The default, self-signed SSL certificate length is 1024 bits.
To view Cherokee’s cipher string, run:
grep ssl_ciphers /etc/config/cherokee/conf.d/https.conf
Although not generally recommended, you may override this cipher string with:
config -s config.https.customciphers='custom_cipher_string' -r ssl
Clear your custom cipher string and return to defaults with:
config -d config.https.customciphers -r ssl
OpenSSH Server (7.7p1 and later)
The SSH server supports SSHv2 only.
For a full list of enabled ciphers, key exchanges algorithms and hashes (OpenSSH v7.7p1 and later only), run:
sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
These are summarized in the following table:
Protocol |
SSHv2 |
Key Exchange |
curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1 |
Authentication |
RSA, ECDSA, ED25519 Public Key Password |
Encryption |
chacha20-poly1305@openssh.com aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com |
Hash |
umac-64-etm@openssh.com umac-128-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha1-etm@openssh.com umac-64@openssh.com umac-128@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha1 |
Note that OpenSSH v7.7p1 and later deprecates support for DSA authentication, and add support for ECDSA and ED25519.
The automatically generated RSA host key is 4096 bits. The automatically generated ECDSA and ED25519 host keys are 256 bits. These are generated on first boot after a factory reset.
OpenVPN
By default, OpenVPN tunnels are configured to disallow export ciphers, known weak ciphers (e.g. DES), and RSA key exchange (note: not RSA authentication), using the following cipher string:
DEFAULT:!EXP:!LOW:!PSK:!SRP:!kRSA
Otherwise the full range support by OpenSSL is available (see below).
Individual tunnels may set their own cipher string by selecting Custom Configuration and specifying the tls-cipher parameter.
OpenSSL
Although many of these may be disabled by the individual applications above, the underlying OpenSSL supports a variety of protocol versions, ciphers and hashes. For a full list of ciphers, run:
openssl ciphers -v
These are summarized in the following table:
Protocol |
SSLv3 TLSv1.2 |
Key Exchange |
DH ECDH ECDH/ECDSA ECDH/RSA PSK RSA SRP |
Authentication |
DSS ECDH ECDSA PSK RSA SRP |
Encryption |
3DES(168) AES(128) AES(256) AESGCM(128) AESGCM(256) Camellia(128) Camellia(256) DES(56) RC4(128) SEED(128) |
Hash |
AEAD MD5 SHA1 SHA256 SHA384 |
Openswan IPsec
For a full list of available ciphers et al., configure an IPsec tunnel then run:
ipsec auto --status
These are summarized in the following table:
Protocol |
IKE ESP NAT-T |
Authentication |
RSA digital signature Shared secret (PSK) x.509 certificates |
Encryption |
DES 3DES AES128 AES192 AES256 |
Hash |
MD5 SHA1 |
Perfect Forward Secrecy |
MODP768 MODP1024 MODP1536 MODP2048 MODP3072 MODP4096 MODP6144 MODP8192 DH22 DH23 DH24 |
Poptop PPTP Server
Note that PPTP is not recommended for high-security applications.
Authentication |
PAP CHAP MSCHAPv2 |
Encryption |
MPPE/RC4 40bit MPPE/RC4 128bit |
Comments
0 comments
Article is closed for comments.