This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

GlobalProtect Portal SSL in PANOS 8

ggoudr
L2 Linker

‎05-18-2017 09:01 AM

Hello all,

 

I have noticed an important difference in PANOS v8.0 in comparison with PANOS 7.x.x concerning the SSL settings for the GlobalProtect portal.

 

More specific, the famous site for SSL Server tests, Qualys SSL Labs presents PANOS 7.0.x with Grade A-, while for PANOS 8.0.x the grade is lowered to Grade B (worst).

 

This happends because, while in PANOS 8.0.x there is a wider support of ciphersuites  fot TLSv1.2, the additional ciphersuites supported use weak weak Diffie-Hellman (DH) key exchange parameters. More specific, for some cipher suites, the DH key exchange is weak, as 1024-bits are being used.

 

 

More specific, for version 7.0.x, the Cipher Suites list is the following:

 

TLS 1.2 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128

 

 

while in PANOS 8.0.x the list is the following:

 

# TLS 1.2 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1 (eq. 15360 bits RSA)   FS256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp521r1 (eq. 15360 bits RSA)   FS128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp521r1 (eq. 15360 bits RSA)   FS256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp521r1 (eq. 15360 bits RSA)   FS128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits   FS   WEAK128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK128

 

 

The big question is how to disable these weak Forward Secrecy (FS) DH Weak key exchange exchange parameters as there is no option to manipulate these settings either from the Web UI or the CLI.

Maybe the new SSL/TLS Service Profile that appears in PANOS 7.1.x should have something for the CipherSuites and the Forward Secrecy (FS) key exchange parameters that need to be enabled/disabled/used (and the order they are being presented to the client's web browser.

 

Regards,

George G.

1 person had this problem.
Who Me Too'd this topic
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks