Reset Search
 

 

Article

KB22854 - PCS device is accepting the weak cipher connection even though the 'Allowed Encryption Strength' section has the 'Accept only 128-bit greater' option selected

« Go Back

Information

 
Last Modified Date8/1/2015 12:18 AM
Synopsis
This article describes an issue with the PCS device accepting the weak cipher connection, even though 'Accept only 128-bit or greater' is selected as the 'Allowed Encryption Strength'.

Ideally with the above mentioned option being selected, if a user tries to get to the sign-in URL using a web browser, which uses less than 128 bit cipher strength, PCS should refuse to load, but the PCS device loads and generates an error message.



 
Problem or Goal
If a scanner is ran to test the available cipher suites against the host URL, weak ciphers may appear.

Cause
Solution
To resolve this issue, enable the Do not allow connections from browsers that only accept weak ciphers option, under the Security Option on the PCS admin page, as mentioned below:
 
  1. Go to System > Configuration > Security > SSL Options:
    • Min. recommendation is Accept only TLS
  2. Under Allow Encryption Strength, select Custom SSL Cipher Selection and enable AES and AES/3DES
  3. Under Encryption Strength option, select the Do not allow connections from browsers that only accept weaker ciphers check box.
  4. Click Save Changes.
Note: Changing any of the above settings might restart some services in the Pulse Connect Secure.

The following setting will disable RC4 and EXPORT cipher suites which have known vulnerabilities.  For further security best practices, please refer to KB29805 - Pulse Connect Secure: Security configuration best practices
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255