Does PAN have any plan for better managing the current state of TLS decryption now that Diffie-Hellman based ciphers are becoming the default standard?
PAN currently only supports the below ciphers, and when presented with a website that ONLY supports DH ciphers it appears to just reset the connection instead of failing open. Manually whitelisting/ excluding sites which only support DH ciphers these days is starting to become a too labour intensive manual process..
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
Does PAN have any plan to better manage this?
Shouldn't "active" forward proxies be able to to support DH from proxy to website?
Or should we just consider this the death throes of PAN's gateway decryption/ visibilty functionality?
