Cloud SWG "PFMS SSL Cipher Maintenance" announcement mentions that less secure ciphers are being removed from the PFMS servers, and that the certain ciphers will remain active following this action.
The task is to make sure that at least one is supported in your client environments:
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
The action required states that any affected clients must be upgraded to a browser/OS that supports one or more of the ciphers above, before September 29, 2023.
What the document does not mention is that ciphers are being removed, so that we can correlate negotiated ciphers in our environment with the ciphers that are being removed to identify potential issues.
What ciphers are actually being removed by this documented change?
Pac File Management System (PFMS).
Cloud SWG.
Security improvements to PFMS environment.
Verify that the above strong ciphers, documented in maintenance alert, are all active in your client environment.
For the record, the list of ciphers that PFMS will stop supporting at the end of September is the following:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA