Eliminating the "TLS/SSL Server Supports The Use of Static Key Ciphers" vulnerability from my PAM Server


Article ID: 131784


Updated On:


CA Privileged Access Manager (PAM)


After running a vulnerability scanning tool, the resulting report shows that my PAM server is affected by the "TLS/SSL Server Supports The Use of Static Key Ciphers" vulnerability.

How can I eliminate the "TLS/SSL Server Supports The Use of Static Key Ciphers" vulnerability from my PAM Server?


PAM Server 3.x


Currently we are supporting the use of static key ciphers to have backward compatibility for some components such as the A2A client.

There is a plan to phase out the default support for TLS 1.0/1.1 when those components are deprecated or all updated to not require TLS 1.0/1.1.

For non-FIPS mode we are not supporting any forward secrecy as of 3.2.x at server level. But we do support forward secrecy for RDP sessions with TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 with version 3.2.2.

However, this request to support strong ciphers was considered by product management team and was included in 3.3 release.

So, this vulnerability will be addressed with 3.3 release.

Navigate to "Configuration - Security - Access" and select "Disabled" for "TLS v1.0/1.1 connection allowed" to turn off TLS 1.0 and 1.1.


On PAM 3.4.0 following ciphers were observed in the Client Hello in wireshark for both 443 and 8443 ports (with TLS 1.0/1.1 Disabled, regardless of whether running in FIPS mode or Standard mode).

    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
    Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
    Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)


These are TLS 1.2 approved ciphers.


If it is to eliminate HTTP/2 Black Listed Ciphers then please raise an Enhancement Request at the communities.


Additional Information

See also: TLS/SSL Server Supports The Use of Static Key Ciphers

              HTTP/2 Black Listed Ciphers