I found message from scan secutity on Palo alto 850 "Insecure Transport: Weak SSL Cipher ( 11285 )"
I did configuration command like in document. but the message it still show after scan again.
anyone have idea
for SSL/TLS to disable weak Algorithm-
set shared ssl-tls-service-profile web-gui protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile web-gui protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile web-gui protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile web-gui protocol-settings keyxchg-algo-rsa no
I am reading on document it reccomend to do this anyone can reccomend command
Disable support for weak ciphers on the server. Weak ciphers are generally defined as:
· Any cipher with key length less than 128 bits
· Export-class cipher suites
· NULL ciphers
· Ciphers that support unauthenticated modes
· Ciphers assessed at security strengths below 112 bits
· All RC4 ciphers
· All CBC mode ciphers due to POODLE, Zombie POODLE, GOLDENDOODLE, 0-Length OpenSSL, and Sleeping POODLE
· All 64-bit block ciphers
· All ciphers using MD5 and SHA1 for cryptographic hash functions
The following ciphers supported by the server are weak and should be disabled:
· TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
· TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
· TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
· TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
· TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
· TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
· TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!