topic Re: PCI Compliance - Weak SSL/TLS Key Exchange - 443 / tcp over ssl in General Topics https://live.paloaltonetworks.com/t5/general-topics/pci-compliance-weak-ssl-tls-key-exchange-443-tcp-over-ssl/m-p/520730#M107929 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/105884">@jwise</a>&nbsp;</P> <P>&nbsp;</P> <P>I recently fix same issue in 9.1.X.</P> <P>&nbsp;</P> <P>First yo need to use a Certificate custom ( Self Signed or issue from a internal C.A ).</P> <P>Then create SSL/TLS profile minimoum TLS 1.2, maximium Max.</P> <P>&nbsp;</P> <P>Now from CLI you need to disable the weka algortims using in the SSL/TLS profile:</P> <P>&nbsp;</P> <P>Like this:</P> <P>&nbsp;</P> <P>Disable 3des<BR />• #set shared ssl-tls-service-profile TLSprofileTest protocol-settings enc-algo-3des no<BR />• Disable SHA1:<BR />• #set shared ssl-tls-service-profile TLSprofileTest protocol-settings auth-algo-sha1 no<BR />disable RC4:<BR />• #set ssl-tls-service-profile TLSprofileTestprotocol-settings enc-algo-rc4 no</P> <P>&nbsp;</P> <P>Then you need yo assing the TLS Profile to Managment Web-Gui, en Devece-Setup.</P> <P>&nbsp;</P> <P>Now for SSH you need to do it this:</P> <P><BR />• # set deviceconfig system ssh ciphers mgmt aes256-ctr<BR />• # set deviceconfig system ssh ciphers mgmt aes256-gcm<BR />• # set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256<BR />• # set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256<BR />• # set deviceconfig system ssh session-rekey mgmt interval 3600<BR />• # set deviceconfig system ssh mac mgmt hmac-sha2-256<BR />• # set deviceconfig system ssh mac mgmt hmac-sha2-512<BR />• # delete deviceconfig system ssh kex mgmt<BR />• # set deviceconfig system ssh kex mgmt ecdh-sha2-nistp521<BR />• # commit</P> <P>Then restart the service SSH:</P> <P># set ssh service restart</P> <P>&nbsp;</P> <P><EM><STRONG>Important</STRONG>: Always as a good practice, generate a Backup of your config.</EM></P> <P>&nbsp;</P> <P>Best regards</P> Wed, 09 Nov 2022 00:37:15 GMT Metgatz 2022-11-09T00:37:15Z PCI Compliance - Weak SSL/TLS Key Exchange - 443 / tcp over ssl https://live.paloaltonetworks.com/t5/general-topics/pci-compliance-weak-ssl-tls-key-exchange-443-tcp-over-ssl/m-p/520653#M107913 <P>We have been having the same issue with PCI compliance scans with two different companies.</P> <P>After scanning, they come back with the following error:</P> <P>Weak SSL/TLS Key Exchange</P> <P>-------------------------------------------------------------------------</P> <P>Change the SSL/TLS server configuration to only allow strong key exchanges. Key exchanges should provide at least 112 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges</P> <P>-------------------------------------------------------------------------</P> <P>This error is on 443 / tcp over ssl</P> <P>&nbsp;</P> <P>I have been working with a MSP to try and resolve this, by disabling weak ciphers and such, to no avail.</P> <P>We are using a&nbsp;PA-3020, with the latest OS (9.1.14-h4). This device does not support OS 10.x</P> <P>&nbsp;</P> <P>Any help would be greatly appreciated.</P> Tue, 08 Nov 2022 14:48:14 GMT https://live.paloaltonetworks.com/t5/general-topics/pci-compliance-weak-ssl-tls-key-exchange-443-tcp-over-ssl/m-p/520653#M107913 jwise 2022-11-08T14:48:14Z Re: PCI Compliance - Weak SSL/TLS Key Exchange - 443 / tcp over ssl https://live.paloaltonetworks.com/t5/general-topics/pci-compliance-weak-ssl-tls-key-exchange-443-tcp-over-ssl/m-p/520730#M107929 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/105884">@jwise</a>&nbsp;</P> <P>&nbsp;</P> <P>I recently fix same issue in 9.1.X.</P> <P>&nbsp;</P> <P>First yo need to use a Certificate custom ( Self Signed or issue from a internal C.A ).</P> <P>Then create SSL/TLS profile minimoum TLS 1.2, maximium Max.</P> <P>&nbsp;</P> <P>Now from CLI you need to disable the weka algortims using in the SSL/TLS profile:</P> <P>&nbsp;</P> <P>Like this:</P> <P>&nbsp;</P> <P>Disable 3des<BR />• #set shared ssl-tls-service-profile TLSprofileTest protocol-settings enc-algo-3des no<BR />• Disable SHA1:<BR />• #set shared ssl-tls-service-profile TLSprofileTest protocol-settings auth-algo-sha1 no<BR />disable RC4:<BR />• #set ssl-tls-service-profile TLSprofileTestprotocol-settings enc-algo-rc4 no</P> <P>&nbsp;</P> <P>Then you need yo assing the TLS Profile to Managment Web-Gui, en Devece-Setup.</P> <P>&nbsp;</P> <P>Now for SSH you need to do it this:</P> <P><BR />• # set deviceconfig system ssh ciphers mgmt aes256-ctr<BR />• # set deviceconfig system ssh ciphers mgmt aes256-gcm<BR />• # set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256<BR />• # set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256<BR />• # set deviceconfig system ssh session-rekey mgmt interval 3600<BR />• # set deviceconfig system ssh mac mgmt hmac-sha2-256<BR />• # set deviceconfig system ssh mac mgmt hmac-sha2-512<BR />• # delete deviceconfig system ssh kex mgmt<BR />• # set deviceconfig system ssh kex mgmt ecdh-sha2-nistp521<BR />• # commit</P> <P>Then restart the service SSH:</P> <P># set ssh service restart</P> <P>&nbsp;</P> <P><EM><STRONG>Important</STRONG>: Always as a good practice, generate a Backup of your config.</EM></P> <P>&nbsp;</P> <P>Best regards</P> Wed, 09 Nov 2022 00:37:15 GMT https://live.paloaltonetworks.com/t5/general-topics/pci-compliance-weak-ssl-tls-key-exchange-443-tcp-over-ssl/m-p/520730#M107929 Metgatz 2022-11-09T00:37:15Z