Original Message:
Sent: Nov 16, 2023 01:23 PM
From: bcondarco
Subject: How to disable the TLS 1.2 Cipher in Aruba ClearPass
Sri is not asking to remove TLS1.2 altogether rather to remove certain suites as they are being flagged - particularly RSA. I am running into this same thing now where vulnerability scans are flagging the ability to negotiate with TLS 1.2 cipher suites including RSA.
Example:
Out of all approved TLS 1.2 Ciphers - remove all RSA options. No where was it asked to remove TLS 1.2 entirely.
List of Approved TLS 1.2 Ciphers
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
Hope this clarifies and Sri's company can keep their security staff.
Original Message:
Sent: Nov 09, 2023 06:54 AM
From: ahollifield
Subject: How to disable the TLS 1.2 Cipher in Aruba ClearPass
Why though? TLS 1.2 isn't broken from an encryption standpoint? That's like saying we don't want any Windows 11 computers, only Windows 10 and 7. Maybe time for a new security team?
Original Message:
Sent: Nov 08, 2023 10:11 PM
From: Sri
Subject: How to disable the TLS 1.2 Cipher in Aruba ClearPass
Hi,
That's our security requirements.
Regards,
Original Message:
Sent: Nov 08, 2023 10:03 PM
From: Unknown User
Subject: How to disable the TLS 1.2 Cipher in Aruba ClearPass
Why? What's wrong with them?
Original Message:
Sent: 11/8/2023 8:11:00 PM
From: Sri
Subject: RE: How to disable the TLS 1.2 Cipher in Aruba ClearPass
Hi,
Thank you for your reply, security team ask us to disable as these ciphers are not allowed in network.
Regards,
Sri
Original Message:
Sent: Nov 08, 2023 08:50 AM
From: ahollifield
Subject: How to disable the TLS 1.2 Cipher in Aruba ClearPass
Why would you want to disable TLS 1.2?
https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.9.0/Content/SystemRequirements/EndOfSupport.htm
Original Message:
Sent: Nov 08, 2023 03:55 AM
From: Sri
Subject: How to disable the TLS 1.2 Cipher in Aruba ClearPass
Hi All,
Is there anyway to disable below Ciphers in the ClearPass.
The ClearPass version :6.9.13
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp521r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp521r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp521r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp521r1) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp521r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp521r1) - A
Thank you.
Sri