Eliminating the "TLS/SSL Server Supports The Use of Static Key Ciphers" vulnerability from my PAM Server

book

Article ID: 131784

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

After running a vulnerability scanning tool, the resulting report shows that my PAM server is affected by the "TLS/SSL Server Supports The Use of Static Key Ciphers" vulnerability.

How can I eliminate the "TLS/SSL Server Supports The Use of Static Key Ciphers" vulnerability from my PAM Server?

Environment

PAM Server 3.x

Resolution

Currently we are supporting the use of static key ciphers to have backward compatibility for some components such as the A2A client.

There is a plan to phase out the default support for TLS 1.0/1.1 when those components are deprecated or all updated to not require TLS 1.0/1.1.

For non-FIPS mode we are not supporting any forward secrecy as of 3.2.x at server level. But we do support forward secrecy for RDP sessions with TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 with version 3.2.2.

However, this request to support strong ciphers was considered by product management team and was included in 3.3 release.

So, this vulnerability will be addressed with 3.3 release.

Navigate to "Configuration - Security - Access" and select "Disabled" for "TLS v1.0/1.1 connection allowed" to turn off TLS 1.0 and 1.1.

 

On PAM 3.4.0 following ciphers were observed in the Client Hello in wireshark for both 443 and 8443 ports (with TLS 1.0/1.1 Disabled, regardless of whether running in FIPS mode or Standard mode).

    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
    Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
    Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

 

These are TLS 1.2 approved ciphers.

 

If it is to eliminate HTTP/2 Black Listed Ciphers then please raise an Enhancement Request at the communities.

 

Additional Information

See also: TLS/SSL Server Supports The Use of Static Key Ciphers

              HTTP/2 Black Listed Ciphers

Attachments