Customizing ciphers to prevent vulnerabilities on SpanVA
search cancel

Customizing ciphers to prevent vulnerabilities on SpanVA

book

Article ID: 273538

calendar_today

Updated On:

Products

CASB Gateway CASB Audit

Issue/Introduction

Vulnerabilities on port 443 and 20200 with the listed ciphers that need to be remediated:

TLS 1.2 ciphers:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Resolution

You can customize the ciphers for TLS 1.2 and port 20200/tcp that you allow on the SpanVA, to do this you need to:

  1. Login to the SpanVA
  2. Go to Settings on the left hand side
  3. Scroll down to Advanced TLS Cipher Configuration
  4. Check the ciphers you want and uncheck those you do not.

For port 443/tcp, customization is not currently allowed. However, SHA-1 is used in the context of MAC generation, and is still allowed by NIST, due to its security strength being greater than 112 bits (it is 128 bits for HMAC-SHA1). Also, the transition away from SHA-1 is set for Dec 31, 2030 as per NIST's latest announcement: NIST transitioning away from SHA-1 for all apps