Reset Search
 

 

Article

KB40858 - Unable to access UI after setting the cipher suites to use ECDSA

« Go Back

Information

 
Last Modified Date8/11/2017 10:16 PM
Synopsis
This article describes an issue accessing the GUI on the PCS appliance after setting customer cipher suite to use elliptic curve, ECDSA cipher suites with ECDH and /or ECDHE

 
Problem or Goal
When customer cipher suite is set to use EC, ECDSA cipher suites with ECDH and/or ECDHE the GUI on the PCS becomes inaccessible, we may observe TLS handshake failure in the communication between the client and the PCS device if we take packet capture from the client machine.  
Cause
This occurs due to using a device certificate with the key type as RSA. In that case, when we select the cipher suite that uses Elliptic Curve, such ECDSA with ECDH or ECDHE, there occurs an error while performing the handshake and cipher spec negotiation between two parties. As the server, is using a certificate that has public-private key type as RSA, while the system is set to use Elliptic curve cipher suites, key negotiation fails, and so does the handshake, resulting in UI being inaccessible.

We may observe TLS handshake failure in the communication between the client and the PCS device if we take packet capture from the client machine.  
Solution
To resolve this issue, if we have to use Elliptic curve based cipher suites then we need to have a device certificate in the PCS appliance that has the key type as ECC instead of RSA.
We can generate certificate signing request, CSR, for a ECC key type certificate from the PCS appliance. And we can submit the CSR to the respective CA to get the requested certificate signed.

To gain back access to the GUI we need to reset the cipher strength to default.
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40826
Related Links
Attachment 1 
Created BySumanto Chakraborty

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255