How can I eliminate the "TLS/SSL Server Does Not Support Any Strong Cipher Algorithms" vulnerability from my PAM Server?

book

Article ID: 131785

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

After running a vulnerability scanning tool, the resulting report shows that my PAM server is affected by the "TLS/SSL Server Does Not Support Any Strong Cipher Algorithms" vulnerability.

How can I eliminate the "TLS/SSL Server Does Not Support Any Strong Cipher Algorithms" vulnerability from my PAM Server?

Environment

PAM Server 3.x

Resolution

Currently we are supporting  ciphers considered by the scan not to be strong to have backward compatibility for some components such as the A2A client.

There is a plan to phase out the default support for TLS 1.0/1.1 when those components are deprecated or all updated to not require TLS 1.0/1.1.
For non-FIPS mode we are not supporting any forward secrecy as of 3.2.x at server level. But we do support forward secrecy for RDP sessions with TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 with version 3.2.2.
However, this request to support strong ciphers was considered by product management team and will be included in 3.3 release.
So, this vulnerability will be addressed in PAM version 3.3.

Additional Information

See also: TLS/SSL Server Does Not Support Any Strong Cipher Algorithms