I presently use SSTP for site to site VPNs between router boards.

It would be fantastic if MikroTik would consider offering the following in the future:

1) Support for TLS 1.2.
2) Granular control of the cipher suites offered on the server.
3) Support for AES-GCM. This is today the recommended secure cipher suite over RC4 for performance reasons. It offers strong performance benefits over AES-CBC.

Seasons regards to all!

Thanks,

Nick

I presently use SSTP for site to site VPNs between router boards.

It would be fantastic if MikroTik would consider offering the following in the future:

1) Support for TLS 1.2.
2) Granular control of the cipher suites offered on the server.
3) Support for AES-GCM. This is today the recommended secure cipher suite over RC4 for performance reasons. It offers strong performance benefits over AES-CBC.

Seasons regards to all!

Thanks,

Nick

2years later, same situation. Mikrotik please update!!!

TLS 1.2 is already supported and PFS already can be enabled.
Currently only GCM is not possible but might be added in the future.

TLS 1.2 is already supported and PFS already can be enabled.
Currently only GCM is not possible but might be added in the future.

Indeed, TLS 1.2 is enabled, but have not find the option for PFS on the webservice for administering the router.
Also, if you look at HMAC, it is SHA1, and again, no option for SHA2

GCM is less of a problem, at least for me.
Best regards.

its only matter of time cuz CWC, OCB was future of ciphers, and even updated/re-worked EAX shows Notably improved scalability.
so far GCM is good for "transition" period and step-up from CCM.
"in general" legacy things, like XTS, CBC and some time after - CCM, perhaps - been phased-out/deprecated eventually.

https://en.wikipedia.org/wiki/Block_cip ... _operation
so far both CWC and (to some degree)EAX variations - shows best scalability, performance/overhead, security among them, in my opinion.
but suporting some of them - painful. cuz some stuff is hard to backport and some wasn't really trivial to older kernels At ALL

Any update on the PFS/sha1 issue ? ...

+1 This would be really helpful if ROS had AES-GCM support as theres a huge performance boot for all. That means lower hardware can achieve higher throughput which likely would be more cost effective.

Are there any plans for upgrading cipher suites?

I was using Windows 10 + Mikrotik SSTP VPN for years and now it is not possible to connect because they don't have any cipher suite in common after some upgrade.

add the ability to select the encryption mode to the settings: aes-128 cbc, aes-256 cbc, blowfish, twofish, aes-128 ctr, aes-256 ctr, aes-128 gcm, aes-256 gcm and MPPE 128