Palo Alto Networks Knowledgebase: macOS X 10.13 & iOS 11 - New Requirements for GlobalProtect Connections

macOS X 10.13 & iOS 11 - New Requirements for GlobalProtect Connections

11463
Created On 02/07/19 23:55 PM - Last Updated 02/07/19 23:55 PM
VPNs
Resolution

Please see the Apple support article at https://support.apple.com/en-us/HT207828 for the source of this information.

 

In summary, these releases have the following requirements:

 

  • Removes support for TLS connections using SHA-1 certificates. Administrators of TLS services should update their services to use SHA-2 certificates. 
  • Removes trust from certificates that use RSA key sizes smaller than 2048 bits across all TLS connections.
  • Uses TLS 1.2 as the default for EAP-TLS negotiation. You can change this default setting with a configuration profile. Older clients might still need 1.0. 
  • Authentication based on client certificates requires the server to support TLS 1.2 with cipher suites that are compatible with forward secrecy.

Note: If the SSL/TLS Service Profile for the GlobalProtect Portal and Gateway support a maximum TLS version of 1.1, then either an iOS 11 nor a Mac OS X 10.13 system will succeed in establishing a connection. Once the configuration is committed with the maximum version set to 1.2 or to "max:, then the GlobalProtect agent will succeed.

 

Changes coming with iOS 11

Security

iOS 11, tvOS 11, and Mac OS High Sierra include the following changes to TLS connections:

  • Removes support for TLS connections using SHA-1 certificates. Administrators of TLS services should update their services to use SHA-2 certificates.
  • Removes trust from certificates that use RSA key sizes smaller than 2048 bits across all TLS connections.
  • Uses TLS 1.2 as the default for EAP-TLS negotiation. You can change this default setting with a configuration profile. Older clients might still need 1.0. 
  • Authentication based on client certificates requires the server to support TLS 1.2 with cipher suites that are compatible with forward secrecy.

Changes coming with Mac OS High Sierra

Security

macOS High Sierra, tvOS 11, and iOS 11 include the following changes to TLS connections:

  • Removes support for TLS connections using SHA-1 certificates. Administrators of TLS services should update their services to use SHA-2 certificates.
  • Removes trust from certificates that use RSA key sizes smaller than 2048 bits across all TLS connections.
  • Uses TLS 1.2 as the default for EAP-TLS negotiation. You can change this default setting with a configuration profile. Older clients might still need 1.0. 
  • Authentication based on client certificates requires the server to support TLS 1.2 with cipher suites that are compatible with forward secrecy.
 


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGXCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language