Weak hand shake - SSL VPN
Hi team, I noticed that Sophos VPN use weak handshake for remote user despite high settings on SSL VPN crypto.
Currently it uses: SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
3DES-EDE is known to be weak.
I think this is a serious problem for such a nice firewall.
Forum post: https://community.sophos.com/products/xg-firewall/f/vpn/84727/sophos-xg-ssl-vpn-remote-use-weaker-handshake-than-specified-and-udp-failed-to-connect/
C. Lisowski commented
If the SSL VPN is based on the same code as UTM 9.x then there is an issue that the packages are often filtered by other firewalls.
The reason for this is that it is probably not valid SSL?
Create an ssl tunnel (stunnel) around it and it works perfectly.
It would be definitely great when the ssl tunnel would not be needed anymore in the future and the SSL VPN would work just fine and would be seen as SSL encrypted traffic.