This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who Me Too'd this topic

Whats PAN's future for TLS decrypt with many sites now moving to Diffie-Hellman based ciphers ONLY?

CMG
L2 Linker

‎09-29-2015 05:54 PM

Does PAN have any plan for better managing the current state of TLS decryption now that Diffie-Hellman based ciphers are becoming the default standard?

 

PAN currently only supports the below ciphers, and when presented with a website that ONLY supports DH ciphers it appears to just reset the connection instead of failing open. Manually whitelisting/ excluding sites which only support DH ciphers these days is starting to become a too labour intensive manual process..

TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

 

Does PAN have any plan to better manage this? 

Shouldn't "active" forward proxies be able to to support DH from proxy to website?

Or should we just consider this the death throes of PAN's gateway decryption/ visibilty functionality?

23 people had this problem.
Who Me Too'd this topic
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks