search cancel

Ciphers supported

book

Article ID: 188851

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

How to know the Ciphers that are supported by any of the CA PAM versions, is there a way to find this out?

Also, how to find the ciphers supported by CA PAM for various other applications which communicate over a specific port?

Cause

Knowing the supported Ciphers is a very common query, as this would determine the communication between CA PAM and the various other Target Devices / Applications.

Environment

Release : 2.8.x, 3.2.x, 3.3.x

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

To capture the Ciphers that are supported for TLS1.2 for CA PAM, we can capture these by establishing a connection to CA PAM Server over Port 443.

Capture the Traffic between the Desktop and CA PAM using Wireshark application.

Once the traffic is captured in Wireshark, search for "Hello Client" handshake.

Expand this "Hello Client" and in here the list of supported Ciphers would be available.

Below is the list of Ciphers supported for CA PAM Version 3.2.6 is as under

Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
 
            Cipher Suites (14 suites)
                Cipher Suite: Reserved (GREASE) (0xfafa)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
                Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

Additional Information

Similarly if we need to know the list of Ciphers supported from CA PAM over other ports like 636, 22, 389, etc.,

We need to install dcpdump in the CA PAM host (this would need help from the Support team)
After dcpdump is installed we need to capture the traffic on the specific port and analyse this captured traffic using Wireshark to get a list of supported Ciphers.