Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restricting Ciper Suites

devs_
Occasional Contributor
‎12-09-2014 03:36:AM
‎12-09-2014 03:36:AM

Restricting Ciper Suites

Hello all


We have a requirement to deploy a SAS SSL VPN solution using some MAGs. The requirements as defined by the customer are to use:

 

- Encryption: AES with 128-bit key in GCM mode

- Authentication: ECDSA-256 with SHA-256 on P-256 curve

- Key Exchange: ECDH using P-256 curve

 

As all fall under the combination 1 of the Suite B profile for TLS (RFC 6460).

 

The Junos SAS does support suite B, however, I'm a little unsure as to how we actually ensure that these parameters are used when the client connects (via Pulse only, never a web browser). 

 

In our lab we have a MAG and a Pulse client. Under Configuration > Security > SSL Options I have the following configured:

 

1. Turn on FIPS mode

2. Accept only TLS

3. Custom SSL Cipher Selection (AES/3DES and AES ticked)

 

When we fire up the Pulse client we see that we only ever agree between Pulse and the SAS the Ciper Suite:

 

TLS_RSA_WITH_AES_128_CBC_SHA256

 

This may be a silly question but what is the best way to ensure that we use the following Ciper Suite so as to comply with the customer's requirements:

TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256

 

Thank you

0 Kudos
2 REPLIES 2
devs_
Occasional Contributor
‎12-10-2014 02:10:AM
‎12-10-2014 02:10:AM

Re: Restricting Ciper Suites

Anyone have ideas?

 

Thanks

0 Kudos
Antioch_
Contributor
‎12-10-2014 08:49:AM
‎12-10-2014 08:49:AM

Re: Restricting Ciper Suites

The only way you can do this is by changing the cipher orders to put PFS ciphers at the top, a feature that is not currently available. You can see my thread on this here: https://forums.pulsesecure.net/topic/pulse-connect-secure/265658-allow-changing-cipher-order

 

Juniper indicated it was likely to be included in the next major release, but with everything up in the air with Juniper transitioning to pulse secure, who knows when thats going to happen.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.