Symantec PAM - Disabling Insecure Cipher Suites for RDP -connection reset

book

Article ID: 225404

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When we disable some less secure ciphers for windows RDP connections we find that PAM can no longer connect. we did disable TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 but we did not disable TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 which based on the PAM manuals should be valid. (see https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-3/implementing/configure-policies-to-provision-user-access-to-devices-and-applications/configure-devices/set-up-access-to-a-target-device/access-methods.html ) 

We also confirmed that the windows server supports TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 with powershell

PS C:\Users\Administrator> get-tlsCipherSuite | ft name

Name
----
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Cause

When you disable the cipher TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 you are able to use TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 but you did not create or update your certificate in windows as a ECDSA certificate.

Environment

Release : 3.3, 3.4, 3.5 

Component : 

Resolution

 This is specific to the Windows Operating System and generic SSL connections.

ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 enabled but this would require an ECDSA certificate. Please see Microsoft's website on how to update the RDP protocol certificate for your specific windows version.

 

To confirm what ciphers are not just enablled or defined but also available you can use the nmap tool

     nmap -sV --script ssl-enum-ciphers -p 3389 <ip of windows server>

Or use openssl to confirm that the ssl connection can be made with the specific  cipher

     openssl s_client -tls1_2 -cipher 'ECDHE-ECDSA-AES256-GCM-SHA384' -connect <ip of windows server>:3389

     openssl s_client -tls1_2 -cipher 'DHE-RSA-AES128-GCM-SHA256' -connect <ip of windows server>:3389