Who Me Too'd this topic

Who Me Too'd this topic

L2 Linker

GlobalProtect Portal SSL in PANOS 8

Hello all,

 

I have noticed an important difference in PANOS v8.0 in comparison with PANOS 7.x.x concerning the SSL settings for the GlobalProtect portal.

 

More specific, the famous site for SSL Server tests, Qualys SSL Labs presents PANOS 7.0.x with Grade A-, while for PANOS 8.0.x the grade is lowered to Grade B (worst).

 

This happends because, while in PANOS 8.0.x there is a wider support of ciphersuites  fot TLSv1.2, the additional ciphersuites supported use weak weak Diffie-Hellman (DH) key exchange parameters. More specific, for some cipher suites, the DH key exchange is weak, as 1024-bits are being used.

 

 

More specific, for version 7.0.x, the Cipher Suites list is the following:

 

TLS 1.2 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128

 

 

while in PANOS 8.0.x the list is the following:

 

# TLS 1.2 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1 (eq. 15360 bits RSA)   FS256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp521r1 (eq. 15360 bits RSA)   FS128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp521r1 (eq. 15360 bits RSA)   FS256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp521r1 (eq. 15360 bits RSA)   FS128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits   FS   WEAK128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK128

 

 

The big question is how to disable these weak Forward Secrecy (FS) DH Weak key exchange exchange parameters as there is no option to manipulate these settings either from the Web UI or the CLI.

Maybe the new SSL/TLS Service Profile that appears in PANOS 7.1.x should have something for the CipherSuites and the Forward Secrecy (FS) key exchange parameters that need to be enabled/disabled/used (and the order they are being presented to the client's web browser.

 

Regards,

George G.

Tags (1)
Who Me Too'd this topic