PCI Compliance - Weak SSL/TLS Key Exchange - 443 / tcp over ssl

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PCI Compliance - Weak SSL/TLS Key Exchange - 443 / tcp over ssl

L0 Member

We have been having the same issue with PCI compliance scans with two different companies.

After scanning, they come back with the following error:

Weak SSL/TLS Key Exchange

-------------------------------------------------------------------------

Change the SSL/TLS server configuration to only allow strong key exchanges. Key exchanges should provide at least 112 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges

-------------------------------------------------------------------------

This error is on 443 / tcp over ssl

 

I have been working with a MSP to try and resolve this, by disabling weak ciphers and such, to no avail.

We are using a PA-3020, with the latest OS (9.1.14-h4). This device does not support OS 10.x

 

Any help would be greatly appreciated.

1 accepted solution

Accepted Solutions

L4 Transporter

Hello @jwise 

 

I recently fix same issue in 9.1.X.

 

First yo need to use a Certificate custom ( Self Signed or issue from a internal C.A ).

Then create SSL/TLS profile minimoum TLS 1.2, maximium Max.

 

Now from CLI you need to disable the weka algortims using in the SSL/TLS profile:

 

Like this:

 

Disable 3des
• #set shared ssl-tls-service-profile TLSprofileTest protocol-settings enc-algo-3des no
• Disable SHA1:
• #set shared ssl-tls-service-profile TLSprofileTest protocol-settings auth-algo-sha1 no
disable RC4:
• #set ssl-tls-service-profile TLSprofileTestprotocol-settings enc-algo-rc4 no

 

Then you need yo assing the TLS Profile to Managment Web-Gui, en Devece-Setup.

 

Now for SSH you need to do it this:


• # set deviceconfig system ssh ciphers mgmt aes256-ctr
• # set deviceconfig system ssh ciphers mgmt aes256-gcm
• # set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256
• # set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
• # set deviceconfig system ssh session-rekey mgmt interval 3600
• # set deviceconfig system ssh mac mgmt hmac-sha2-256
• # set deviceconfig system ssh mac mgmt hmac-sha2-512
• # delete deviceconfig system ssh kex mgmt
• # set deviceconfig system ssh kex mgmt ecdh-sha2-nistp521
• # commit

Then restart the service SSH:

# set ssh service restart

 

Important: Always as a good practice, generate a Backup of your config.

 

Best regards

High Sticker

View solution in original post

1 REPLY 1

L4 Transporter

Hello @jwise 

 

I recently fix same issue in 9.1.X.

 

First yo need to use a Certificate custom ( Self Signed or issue from a internal C.A ).

Then create SSL/TLS profile minimoum TLS 1.2, maximium Max.

 

Now from CLI you need to disable the weka algortims using in the SSL/TLS profile:

 

Like this:

 

Disable 3des
• #set shared ssl-tls-service-profile TLSprofileTest protocol-settings enc-algo-3des no
• Disable SHA1:
• #set shared ssl-tls-service-profile TLSprofileTest protocol-settings auth-algo-sha1 no
disable RC4:
• #set ssl-tls-service-profile TLSprofileTestprotocol-settings enc-algo-rc4 no

 

Then you need yo assing the TLS Profile to Managment Web-Gui, en Devece-Setup.

 

Now for SSH you need to do it this:


• # set deviceconfig system ssh ciphers mgmt aes256-ctr
• # set deviceconfig system ssh ciphers mgmt aes256-gcm
• # set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256
• # set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
• # set deviceconfig system ssh session-rekey mgmt interval 3600
• # set deviceconfig system ssh mac mgmt hmac-sha2-256
• # set deviceconfig system ssh mac mgmt hmac-sha2-512
• # delete deviceconfig system ssh kex mgmt
• # set deviceconfig system ssh kex mgmt ecdh-sha2-nistp521
• # commit

Then restart the service SSH:

# set ssh service restart

 

Important: Always as a good practice, generate a Backup of your config.

 

Best regards

High Sticker
  • 1 accepted solution
  • 3891 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!