I have a quick question regarding cryptography settings in RouterOS. When you expose for example web interface over HTTPS it uses the following set of ciphers (as tested against v6.29.1):
Code: Select all
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 256 bits CAMELLIA256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits CAMELLIA128-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 112 bits DES-CBC3-SHA
Accepted TLSv1 56 bits DES-CBC-SHA
56-bit key length and single-DES are red flags for me - this is no longer considered secure at all I'm afraid. This key length can be factored in almost real time. I would very much like to ditch the 'backwards compatibility' or shall we call it 'awkward compatibility' if possible and disable anything with DES, RC4 and MD5 in the name as well as anything with keys shorter than 128bit.
Ok, you may say I'm picky, but there are scenarios where using Mikrotik would be ideal solution, but formal security requirements will rule it out based on the fact I can't disable weak crypto - like it happens in more corporate settings
So my questions (in random order) are:
- is there a way to fine-tune the crypto settings (something I missed)?
- is there any plan on RouterOS roadmap to include options for fine-tuning of cipher suites?
- are there any plans to introduce TLSv1.2?
- what is the core crypto library used in RouterOS?
Regards
Tom