cancel
Showing results for 
Search instead for 
Did you mean: 

Is there any way to disable ECDHE and DHE ciphers and thus Forward Secrecy?

Highlighted
Frequent Contributor

Is there any way to disable ECDHE and DHE ciphers and thus Forward Secrecy?

Although this might seem counter-intuitive, it's not. Those ciphers enable Forward Secrecy and when your SA appliance is behind an SSL-decrypting web app firewall using inline bridge mode or an IDS/IPS using sniffing mode, the use of Diffie-Hellman ciphers causes the WAF and IDS/IPS to go completely blind to the SSL traffic.

 

So while the use of Forward Secrecy improves the individual client-to-server connection security, it actually can open your entire company to being hacked because application-level attacks via HTTPS will go right through to the SA appliances.

 

It would be nice if we could actually select the ciphers we want to use and in what server-preferred order.

 

Thanks,

 

Ray

2 REPLIES 2
Highlighted
Occasional Contributor

Re: Is there any way to disable ECDHE and DHE ciphers and thus Forward Secrecy?

Hi,

 

I full agree !

 

Is there any way to disable ECDHE and DHE ciphers on Junpier MAG's if required for some customers ?

 

Cheers

 

Fabien

Highlighted
Contributor

Re: Is there any way to disable ECDHE and DHE ciphers and thus Forward Secrecy?

https://forums.pulsesecure.net/topic/pulse-connect-secure/265658-allow-changing-cipher-order

 

The request has been logged, and it is a planned feature but not likely to happen until the next major point release of the software according to Kita. With everything up in the air with the merger to pulse secure this may take longer than usual.