Ciphers supported
Article ID: 188851
Updated On:
Products
CA Privileged Access Manager (PAM)
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager - Server Control (PAMSC)
Issue/Introduction
How to know the Ciphers that are supported by any of the CA PAM versions, is there a way to find this out?
Also, how to find the ciphers supported by CA PAM for various other applications which communicate over a specific port?
Environment
Release : 2.8.x, 3.2.x, 3.3.x
Component : PRIVILEGED ACCESS MANAGEMENT
Cause
Knowing the supported Ciphers is a very common query, as this would determine the communication between CA PAM and the various other Target Devices / Applications.
Resolution
To capture the Ciphers that are supported for TLS1.2 for CA PAM, we can capture these by establishing a connection to CA PAM Server over Port 443.
Capture the Traffic between the Desktop and CA PAM using Wireshark application.
Once the traffic is captured in Wireshark, search for "Hello Client" handshake.
Expand this "Hello Client" and in here the list of supported Ciphers would be available.
Below is the list of Ciphers supported for CA PAM Version 3.2.6 is as under
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Cipher Suites (14 suites)
Cipher Suite: Reserved (GREASE) (0xfafa)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Capture the Traffic between the Desktop and CA PAM using Wireshark application.
Once the traffic is captured in Wireshark, search for "Hello Client" handshake.
Expand this "Hello Client" and in here the list of supported Ciphers would be available.
Below is the list of Ciphers supported for CA PAM Version 3.2.6 is as under
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Cipher Suites (14 suites)
Cipher Suite: Reserved (GREASE) (0xfafa)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Additional Information
Similarly if we need to know the list of Ciphers supported from CA PAM over other ports like 636, 22, 389, etc.,
We need to install dcpdump in the CA PAM host (this would need help from the Support team)
After dcpdump is installed we need to capture the traffic on the specific port and analyse this captured traffic using Wireshark to get a list of supported Ciphers.
We need to install dcpdump in the CA PAM host (this would need help from the Support team)
After dcpdump is installed we need to capture the traffic on the specific port and analyse this captured traffic using Wireshark to get a list of supported Ciphers.
Feedback
Yes
No
Powered by
