Customizing ciphers to prevent vulnerabilities on SpanVA
search cancel

Customizing ciphers to prevent vulnerabilities on SpanVA


Article ID: 273538


Updated On:


CASB Gateway CASB Audit


Vulnerabilities on port 443 and 20200 with the listed ciphers that need to be remediated:

TLS 1.2 ciphers:



You can customize the ciphers for TLS 1.2 and port 20200/tcp that you allow on the SpanVA, to do this you need to:

  1. Login to the SpanVA
  2. Go to Settings on the left hand side
  3. Scroll down to Advanced TLS Cipher Configuration
  4. Check the ciphers you want and uncheck those you do not.

For port 443/tcp, customization is not currently allowed. However, SHA-1 is used in the context of MAC generation, and is still allowed by NIST, due to its security strength being greater than 112 bits (it is 128 bits for HMAC-SHA1). Also, the transition away from SHA-1 is set for Dec 31, 2030 as per NIST's latest announcement: NIST transitioning away from SHA-1 for all apps