https://live.paloaltonetworks.com/t5/general-topics/ssl-weak-cbc-mode-vulnerability/m-p/26649#M19459 <HTML><HEAD></HEAD><BODY><P>Hi Johan,</P><P>How do you make your PA box passed the BEAST vulnerablity scan?</P><P>Thanks</P><P></P><P>Leo</P></BODY></HTML> Thu, 14 Feb 2013 23:27:32 GMT leole 2013-02-14T23:27:32Z https://live.paloaltonetworks.com/t5/general-topics/ssl-weak-cbc-mode-vulnerability/m-p/26647#M19457 <HTML><HEAD></HEAD><BODY><P>Our box was scanned by Qualys and the SSL VPN portal cames up with the following message:</P><P></P><P>If possible, upgrade to TLS v1.1 or TLS v1.2. If upgrading is not possible, then disabling CBC mode cipher will remove the vulnerability.</P><P></P><P>Any ideas how to disable CBC mode cipher on the PA device. Is there any impact on doing this ?</P><P></P><P>rgds</P><P>Johan</P><P> </P></BODY></HTML> Mon, 19 Mar 2012 10:28:46 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-weak-cbc-mode-vulnerability/m-p/26647#M19457 u5273 2012-03-19T10:28:46Z https://live.paloaltonetworks.com/t5/general-topics/ssl-weak-cbc-mode-vulnerability/m-p/26648#M19458 <HTML><HEAD></HEAD><BODY><P>As a test, do you get the same result when you enable FIPS mode on the PAN device?</P><P><BR />Also which PANOS do you use?</P><P></P><P>I dont think PAN currently supports you to select (per ssl-decryption) which ciphers should be allowed but I would be glad if someone could file this as a feature request (I will do this myself but it seems that the more the better when it comes to how many reports the same feature request).</P></BODY></HTML> Mon, 19 Mar 2012 10:40:22 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-weak-cbc-mode-vulnerability/m-p/26648#M19458 mikand 2012-03-19T10:40:22Z https://live.paloaltonetworks.com/t5/general-topics/ssl-weak-cbc-mode-vulnerability/m-p/26649#M19459 <HTML><HEAD></HEAD><BODY><P>Hi Johan,</P><P>How do you make your PA box passed the BEAST vulnerablity scan?</P><P>Thanks</P><P></P><P>Leo</P></BODY></HTML> Thu, 14 Feb 2013 23:27:32 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-weak-cbc-mode-vulnerability/m-p/26649#M19459 leole 2013-02-14T23:27:32Z