By default, PFS ciphers are enabled. Some non-PFS ciphers are given higher priority (in the default order) for better performance. Please note, special consideration is required before enabling PFS ciphers only as there may be non-PFS-capable browsers around. Therefore it is recommended, in addition to PFS cipher suites, to have few compatibility cipher suites configured as well.
To edit cipher suites offered on vTM globally, perform the following steps:
- Login to vTM admin console
- Navigate to System > Global Settings
- Expand the SSL Configuration menu
- In the ssl!cipher_suites field, enter the desired cipher suites
- Click Update
To edit cipher suites each virtual server individually, perform the following steps:
- Login to vTM admin console
- Navigate to System > Virtual Server
- From the list, find the corresponding virtual server and click Edit
- Expand the SSL Decryption menu
- In the ssl!cipher_suites field, enter the desired cipher suites
- Click Update
Following PFS cipher suites are supported by Pulse Secure Virtual Traffic Manager (vTM):
vTM 10.4 and greater:
# /opt/zeus/zxtm/bin/zeus.zxtm --ciphers | egrep "SSL_ECDHE|SSL_DHE_RSA|Other"
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_RSA_WITH_AES_128_CBC_SHA
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Other ciphers (disabled by default):
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
vTM 10.0 to vTM 10.3:
# /opt/zeus/zxtm/bin/zeus.zxtm --ciphers | egrep "SSL_ECDHE|SSL_DHE_RSA|Other"
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_RSA_WITH_AES_128_CBC_SHA
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Other ciphers (disabled by default):
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
vTM 9.9:
# /opt/zeus/zxtm/bin/zeus.zxtm --ciphers | egrep "SSL_ECDHE|SSL_DHE_RSA|Other"
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
SSL_DHE_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Other ciphers (disabled by default):
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
