How to properly disable 3DES encryption algorithm?

Reply
L3 Networker

How to properly disable 3DES encryption algorithm?

We are currently being required to disable 3DES in order to pass PCI compliance (due to the Sweet32 exploit).

 

We have a decryption profile for all incoming traffic hitting our firewall and services behind it, where I have tried disabling 3DES.

However, the firewall will still accept 3DES after doing a commit. When opening the decryption profile again. 3DES will be shown as enabled again.

 

As you can see in the picture, 3DES seems to be disabled in the decryption profile list, but when opening the specified decryption profile it shows up as enabled.

 

3DES.png

 

Does anyone know how to properly disable 3DES on PANOS 7.1.x?

L4 Transporter

Re: How to properly disable 3DES encryption algorithm?

Hello,

 

Seems odd, can you try changing this via the CLI?

 

>configure

#edit profiles decryption "name of decryption profile" ssl-protocol-settings

#set enc-algo-3des no

#commit

 

let us know if this resolves the issue.

 

Ben

Highlighted
L3 Networker

Re: How to properly disable 3DES encryption algorithm?

Hi Ben,

 

This did not resolve the issue, but it should be disabled.

The firewall still provides TLS_RSA_WITH_3DES_EDE_CBC_SHA for clients.

 

Here's the output from show of ssl-protocol-settings for the decryption profile:

 

(active)# show
ssl-protocol-settings {
  keyxchg-algo-dhe yes;
  keyxchg-algo-ecdhe yes;
  min-version tls1-1;
  keyxchg-algo-rsa yes;
  enc-algo-3des no;
  enc-algo-rc4 no;
  enc-algo-aes-128-cbc yes;
  enc-algo-aes-256-cbc yes;
  enc-algo-aes-128-gcm yes;
  enc-algo-aes-256-gcm yes;
  auth-algo-sha1 yes;
  auth-algo-sha256 yes;
  auth-algo-sha384 yes;
}
Community Team Member

Re: How to properly disable 3DES encryption algorithm?

Hi,

 

I see the same thing in my lab (running PAN-OS 7.1.3 on a VM-100).

 

It might just be a cosmetic bug because the CLI command indicates it is disabled :

 

admin@PA-VM# show profiles decryption test ssl-protocol-settings

ssl-protocol-settings {

  enc-algo-3des no;

  enc-algo-rc4 no;

}

 

I'd recommend to open a bug report with support so they can get this GUI bug fixed.

 

Cheers,

-Kim.

L3 Networker

Re: How to properly disable 3DES encryption algorithm?

Hi,

 

Yes, the GUI is showing it as disabled, yet the firewall will still offer 3DES to clients, so this is not just a cosmetic issue.

L1 Bithead

Re: How to properly disable 3DES encryption algorithm?

Kim This command is working on 6.0 ?

L3 Networker

Re: How to properly disable 3DES encryption algorithm?

I finally managed to disable 3DES, but it was not as straight forward as disabling 3DES on the decryption profile for inbound SSL.

 

To make this work, I set min. protocol version of the decryption profile to TLS 1.2, and then I had to do the same for the SSL/TLS Service Profile for each of the certificates used for inbound SSL inspection.

 

Now the firewall will only use TLS 1.2 and 3DES is disabled across the board.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!