KB22854 - PCS device is accepting the weak cipher connection even though the 'Allowed Encryption Strength' section has the 'Accept only 128-bit greater' option selected

This article describes an issue with the PCS device accepting the weak cipher connection, even though 'Accept only 128-bit or greater' is selected as the 'Allowed Encryption Strength'.

Ideally with the above mentioned option being selected, if a user tries to get to the sign-in URL using a web browser, which uses less than 128 bit cipher strength, PCS should refuse to load, but the PCS device loads and generates an error message.



 

If a scanner is ran to test the available cipher suites against the host URL, weak ciphers may appear.

To resolve this issue, enable the Do not allow connections from browsers that only accept weak ciphers option, under the Security Option on the PCS admin page, as mentioned below:
 

1. Go to System > Configuration > Security > SSL Options:
   • Min. recommendation is Accept only TLS
2. Under Allow Encryption Strength, select Custom SSL Cipher Selection and enable AES and AES/3DES
3. Under Encryption Strength option, select the Do not allow connections from browsers that only accept weaker ciphers check box.
4. Click Save Changes.

​Note: Changing any of the above settings might restart some services in the Pulse Connect Secure.

The following setting will disable RC4 and EXPORT cipher suites which have known vulnerabilities.  For further security best practices, please refer to KB29805 - Pulse Connect Secure: Security configuration best practices