Backward Compatibility¶

This document covers configuration adjustments to support older clients that may not be compatible with modern cipher defaults on RansNet Gateway.

Apache2 SSLCipherSuite¶

Newer versions of Apache2 default to TLS 1.3 with a restricted cipher set. Older browsers or HTTP clients may fail to establish a connection if they only support legacy ciphers.

To broaden compatibility, edit /etc/apache2/sites-available/default and add or update the following directives:

SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:AES256-SHA256
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
SSLHonorCipherOrder     on

After updating the configuration, reload Apache2:

sudo apachectl configtest
sudo systemctl reload apache2

Note: Manual patch is required for this; and the typical use case is to let mFusion supports HSA500 devices. For other cases, please contact our supports.

VPN data-ciphers¶

OpenVPN 2.5 and later replaced the deprecated cipher directive with data-ciphers, which accepts a colon-separated list of acceptable ciphers negotiated during the handshake. Older OpenVPN clients (2.4 and below) only understand the legacy cipher directive and will fail to connect if the server requires a negotiated cipher they do not recognize.

To support a mix of old and new clients, add both directives to the server-side VPN configuration:

data-ciphers XXX:XXX:XXX
data-ciphers-fallback XXX

On RansNet Gateway, in CLI command, please add the following under vpn server instance for HSA500 devices:

encryption DES-EDE3-CBC

Note: DES-EDE3-CBC or AES-256-CBC is included only as a fallback for legacy clients. Prefer AES-256-GCM or CHACHA20-POLY1305 wherever possible, as they provide authenticated encryption.