This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

I found message from scan secutity on Palo alto 850 "Insecure Transport: Weak SSL Cipher ( 11285 )"

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

I found message from scan secutity on Palo alto 850 "Insecure Transport: Weak SSL Cipher ( 11285 )"

nfsfantasy
L1 Bithead

‎07-21-2021 01:36 AM

Hi All

I found message from scan secutity on Palo alto 850 "Insecure Transport: Weak SSL Cipher ( 11285 )"

I did configuration command like in document. but the message it still show after scan again.

anyone have idea

 

for SSL/TLS to disable weak Algorithm-

set shared ssl-tls-service-profile web-gui protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile web-gui protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile web-gui protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile web-gui protocol-settings keyxchg-algo-rsa no

 

 

 

I am reading on document it reccomend to do this anyone can reccomend command

thank you

 

Disable support for weak ciphers on the server. Weak ciphers are generally defined as:
· Any cipher with key length less than 128 bits
· Export-class cipher suites
· NULL ciphers
· Ciphers that support unauthenticated modes
· Ciphers assessed at security strengths below 112 bits
· All RC4 ciphers
· All CBC mode ciphers due to POODLE, Zombie POODLE, GOLDENDOODLE, 0-Length OpenSSL, and Sleeping POODLE
vulnerabilities
· All 64-bit block ciphers
· All ciphers using MD5 and SHA1 for cryptographic hash functions
The following ciphers supported by the server are weak and should be disabled:
· TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
· TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
· TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
· TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
· TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
· TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
· TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

0 Likes Likes
1 REPLY 1

LAYER_8
L5 Sessionator

‎08-05-2021 06:52 AM

Are you able to confirm in your network tab, under IPSec Crypto profile, that your objects do not include any of the above? 

 

AES-GCM-128 and 256 with SHA256 (in my screenshot) will work. 

 

Screen Shot 2021-08-05 at 8.51.12 AM.png

 

Help the community! Add tags and mark solutions please.
0 Likes Likes
  • 2218 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks