IPfire fails PCI scan due to openvpn having TLS v1.0 enabled

I am trying to figure out where the server.conf is or if there is a place in the interface to disable TLS v1.0 or other. TLSv1.0 is enabled by default which will fail any security scan for compliance.

Anyone know the best way to disable TLS v1.0? Normally you just add --tls-version-min 1.2


1 Like

LOL I thought I was logged in to the box. I fixed it. But if I modify the server.conf will it overwrite my chanages? How do I make it always keep that setting?

This is what needs to be added:
tls-version-min 1.2

Currently we do not require this because some clients didn’t upgrade.

I think it is reasonable to require TLS 1.2 or later. Could you please raise a ticket on Bugzilla for this?

Sure that is crazy, they want to leave 1.0 out there. I will report a bug with them. I do want to make sure my change will not get wiped out anytime something is changed in the GUI.

Should we make this configurable ?



No, TLS 1.0 is outdated and deserves to die. Clients must update.

As far as I know this won’t affect anyone anyways because OpenVPN always comes bundled with OpenSSL - even on Windows - and therefore even Windows XP should be able to do better than TLS 1.0.

However, I do not want to support Windows XP any more. The security (and performance) with TLS 1.2 or 1.3 is much better. So why not use that?

the patch is already there, should i wait until the release of Core 148 since we would need then the update.sh to integrate the directive in server.conf ?



Next already has 149 open. You could simply add the commands to the commit message if you like.

This conversation should also be held on the dev list. I would like to hear @pmueller’s opinion on this.

It doesn’t appear this has been patched in Core 148. When will this be patch be applied?


the patch will be shipped with Core Update 149, which is scheduled to be released next week.

Thanks, and best regards,
Peter Müller

1 Like

Hi all,
this option is now in the CGI integrated but you would need to activate it by stopping the server press the save button and start the server again.
It seems that the update.sh commands from the commit message --> https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=942446b553235db212d1dfda63bd9ab52eef4c29 are missing --> https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/rootfiles/core/149/update.sh;h=38f80529f48a6b78e5576e3fe53ef86c33d9af98;hb=refs/heads/core149 so the automatic integration of this directive needs to be made on running OpenVPN instances only by the above mentioned procedure.



1 Like