VBR v11 Hardened (Immutable) Respository - no support for Perfect Forward Secrecy ciphers

[ned]

VBR v11 Hardened (Immutable) Repository - no support for Perfect Forward Secrecy ciphers.

Case #04754357 — VBR v11 Linux hardened proxy/repo: error testing Veeam Data Mover service connection (4/14/2021)

Our security team shut down my testing/usage of the new Veeam v11 hardened repository (immutable backup) due to lack of support for Perfect Forward Secrecy ciphers.

Support has created a feature request for this functionality with product management. I need to get an idea of the ETA, so that I can report back to my management on this issue. How can I track a feature request?

Thanks, Ned

[HannesK]

Hello Ned,
I just went through the case and the feature request makes sense to me. Can you maybe post a list of ciphers your security team allows? Just to be sure that there are not any other options that are forbidden. Or is everything okay that is listed in the IIS crypto tool when applying the "strict" template?



As for now I cannot give any ETA as I have to check with developers about the complexity of that change.

Best regards,
Hannes

PS: that request affects all our Linux roles. It has nothing to do with the hardened repository specifically.

[HannesK]

Update: the requirement to support these ciphers is tracked as #323760 and I will update the thread when it's resolved (can take some time).

[HannesK]

Hello,
in version 11a we added support for the following cipher suites

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

That should solve your issue.

Best regards,
Hannes