Is there any way to disable ECDHE and DHE ciphers ...

Ray_ · ‎12-14-2014

Although this might seem counter-intuitive, it's not. Those ciphers enable Forward Secrecy and when your SA appliance is behind an SSL-decrypting web app firewall using inline bridge mode or an IDS/IPS using sniffing mode, the use of Diffie-Hellman ciphers causes the WAF and IDS/IPS to go completely blind to the SSL traffic.

So while the use of Forward Secrecy improves the individual client-to-server connection security, it actually can open your entire company to being hacked because application-level attacks via HTTPS will go right through to the SA appliances.

It would be nice if we could actually select the ciphers we want to use and in what server-preferred order.

Thanks,

Ray

fabien_broillet_ · ‎12-15-2014

Hi,

I full agree !

Is there any way to disable ECDHE and DHE ciphers on Junpier MAG's if required for some customers ?

Cheers

Fabien

Antioch_ · ‎12-15-2014

https://forums.pulsesecure.net/topic/pulse-connect-secure/265658-allow-changing-cipher-order

The request has been logged, and it is a planned feature but not likely to happen until the next major point release of the software according to Kita. With everything up in the air with the merger to pulse secure this may take longer than usual.

Is there any way to disable ECDHE and DHE ciphers and thus Forward Secrecy?

Is there any way to disable ECDHE and DHE ciphers and thus Forward Secrecy?

Re: Is there any way to disable ECDHE and DHE ciphers and thus Forward Secrecy?

Re: Is there any way to disable ECDHE and DHE ciphers and thus Forward Secrecy?