PCI Compliance - Weak SSL/TLS Key Exchange - 443 / tcp over ssl

jwise · ‎11-08-2022

We have been having the same issue with PCI compliance scans with two different companies.

After scanning, they come back with the following error:

Weak SSL/TLS Key Exchange

-------------------------------------------------------------------------

Change the SSL/TLS server configuration to only allow strong key exchanges. Key exchanges should provide at least 112 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges

-------------------------------------------------------------------------

This error is on 443 / tcp over ssl

I have been working with a MSP to try and resolve this, by disabling weak ciphers and such, to no avail.

We are using a PA-3020, with the latest OS (9.1.14-h4). This device does not support OS 10.x

Any help would be greatly appreciated.

Metgatz · ‎11-08-2022

Hello @jwise

I recently fix same issue in 9.1.X.

First yo need to use a Certificate custom ( Self Signed or issue from a internal C.A ).

Then create SSL/TLS profile minimoum TLS 1.2, maximium Max.

Now from CLI you need to disable the weka algortims using in the SSL/TLS profile:

Like this:

Disable 3des
• #set shared ssl-tls-service-profile TLSprofileTest protocol-settings enc-algo-3des no
• Disable SHA1:
• #set shared ssl-tls-service-profile TLSprofileTest protocol-settings auth-algo-sha1 no
disable RC4:
• #set ssl-tls-service-profile TLSprofileTestprotocol-settings enc-algo-rc4 no

Then you need yo assing the TLS Profile to Managment Web-Gui, en Devece-Setup.

Now for SSH you need to do it this:

• # set deviceconfig system ssh ciphers mgmt aes256-ctr
• # set deviceconfig system ssh ciphers mgmt aes256-gcm
• # set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256
• # set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
• # set deviceconfig system ssh session-rekey mgmt interval 3600
• # set deviceconfig system ssh mac mgmt hmac-sha2-256
• # set deviceconfig system ssh mac mgmt hmac-sha2-512
• # delete deviceconfig system ssh kex mgmt
• # set deviceconfig system ssh kex mgmt ecdh-sha2-nistp521
• # commit

Then restart the service SSH:

# set ssh service restart

Important: Always as a good practice, generate a Backup of your config.

Best regards

High Sticker

View solution in original post

Metgatz · ‎11-08-2022

Hello @jwise

I recently fix same issue in 9.1.X.

First yo need to use a Certificate custom ( Self Signed or issue from a internal C.A ).

Then create SSL/TLS profile minimoum TLS 1.2, maximium Max.

Now from CLI you need to disable the weka algortims using in the SSL/TLS profile:

Like this:

Disable 3des
• #set shared ssl-tls-service-profile TLSprofileTest protocol-settings enc-algo-3des no
• Disable SHA1:
• #set shared ssl-tls-service-profile TLSprofileTest protocol-settings auth-algo-sha1 no
disable RC4:
• #set ssl-tls-service-profile TLSprofileTestprotocol-settings enc-algo-rc4 no

Then you need yo assing the TLS Profile to Managment Web-Gui, en Devece-Setup.

Now for SSH you need to do it this:

• # set deviceconfig system ssh ciphers mgmt aes256-ctr
• # set deviceconfig system ssh ciphers mgmt aes256-gcm
• # set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256
• # set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
• # set deviceconfig system ssh session-rekey mgmt interval 3600
• # set deviceconfig system ssh mac mgmt hmac-sha2-256
• # set deviceconfig system ssh mac mgmt hmac-sha2-512
• # delete deviceconfig system ssh kex mgmt
• # set deviceconfig system ssh kex mgmt ecdh-sha2-nistp521
• # commit

Then restart the service SSH:

# set ssh service restart

Important: Always as a good practice, generate a Backup of your config.

Best regards

High Sticker

Unlock your full community experience!

PCI Compliance - Weak SSL/TLS Key Exchange - 443 / tcp over ssl

PCI Compliance - Weak SSL/TLS Key Exchange - 443 / tcp over ssl

Show your appreciation!