Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to Deny the Diffie-Hellman Key Exchange

ntl75
Occasional Contributor
‎08-13-2015 02:27:AM
‎08-13-2015 02:27:AM

How to Deny the Diffie-Hellman Key Exchange

I would like to deny this because they are considered weak ciphers because of the DHE component.

Any step by step guide on this

thanks again in advance

0 Kudos
6 REPLIES 6
kita
Regular Contributor
‎08-13-2015 06:08:PM
‎08-13-2015 06:08:PM

Re: How to Deny the Diffie-Hellman Key Exchange

Are we looking to remove DHE completely or just 1024-bit and lower?
0 Kudos
ntl75
Occasional Contributor
‎08-15-2015 04:34:AM
‎08-15-2015 04:34:AM

Re: How to Deny the Diffie-Hellman Key Exchange

Hi we would like to remove DHE altogether (WOULD THIS BE AN ISSUE?) and use the following:

TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

thanks
0 Kudos
kita
Regular Contributor
‎08-15-2015 03:48:PM
‎08-15-2015 03:48:PM

Re: How to Deny the Diffie-Hellman Key Exchange

Hello NTL75,

Currently, there are no known vulnerabilities with ECDHE cipher suites. We plan to add a feature to allow customer's to select cipher suites they would like to support in 8.2RX. This is planned for the later part of Q4 2015.
ntl75
Occasional Contributor
‎08-17-2015 10:56:AM
‎08-17-2015 10:56:AM

Re: How to Deny the Diffie-Hellman Key Exchange

Hi, Many thanks for your reply.
So at present there is no way for me to achieve what I had planned?

thanks
0 Kudos
psirt
Not applicable
‎08-18-2015 02:08:PM
‎08-18-2015 02:08:PM

Re: How to Deny the Diffie-Hellman Key Exchange

Hi ntl75,

A new feature to disable 1024 bit DH key exchange will be added in new releases of code. Please see the "Logjam" section on the following security advisory for more information: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40002

Thanks,
Pulse Secure PSIRT
kita
Regular Contributor
‎08-20-2015 02:47:AM
‎08-20-2015 02:47:AM

Re: How to Deny the Diffie-Hellman Key Exchange

Correct. There is no current way to specifically disable all ECDHE and DHE cipher suites. However, due to the recent concerns with 1024-bit DHE cipher suites and below, we will be making a change to disable 1024-bit DHE cipher in the next releases.
0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.