macOS X 10.13 & iOS 11 - New Requirements for GlobalProtect Connections

macOS X 10.13 & iOS 11 - New Requirements for GlobalProtect Connections

50609
Created On 09/25/18 17:36 PM - Last Modified 09/12/23 17:20 PM


Environment


  • macOS High Sierra and iOS 11 endpoints 
  • GlobalProtect App 

Resolution


  1. The following changes were made to Apple's TLS requirements:
  • Removes support for TLS connections using SHA-1 certificates. Administrators of TLS services should update their services to use SHA-2 certificates. 
  • Removes trust from certificates that use RSA key sizes smaller than 2048 across all TLS connections.
  • Uses TLS 1.2 as the default for EAP-TLS negotiation. You can change this default setting with a configuration profile. Older clients might still need 1.0. 
  • Authentication based on client certificates requires the server to support TLS 1.2 with cipher suites that are compatible with forward secrecy.

Note: If the SSL/TLS Service Profile for the GlobalProtect Portal and Gateway support a maximum TLS version of 1.1, then either an iOS 11 nor a Mac OS X 10.13 system will succeed in establishing a connection. Once the configuration is committed with the maximum version set to 1.2 or to "max:, then the GlobalProtect agent will succeed.

 

  1.  Excerpt from Apple's article discussing this:
  • Changes coming with iOS 11
SecurityiOS 11, tvOS 11, and macOS High Sierra include the following changes to TLS connections:
  • Removes support for TLS connections using SHA-1 certificates. Administrators of TLS services should update their services to use SHA-2 certificates.
  • Removes trust from certificates that use RSA key sizes smaller than 2048 bits across all TLS connections.
  • Uses TLS 1.2 as the default for EAP-TLS negotiation. You can change this default setting with a configuration profile. Older clients might still need 1.0.
 
  • Changes coming with macOS High Sierra
Security

macOS High Sierra, tvOS 11, and iOS 11 include the following changes to TLS connections:

  • Removes support for TLS connections using SHA-1 certificates. Administrators of TLS services should update their services to use SHA-2 certificates.
  • Removes trust from certificates that use RSA key sizes smaller than 2048 bits across all TLS connections.
  • Uses TLS 1.2 as the default for EAP-TLS negotiation. You can change this default setting with a configuration profile. Older clients might still need 1.0. 
 
Note: Please see the Apple support article at https://support.apple.com/en-us/HT207828 for the source of this information.

Additional Information


Note: For the updated requirements regarding Apple's TLS requirements beginning in iOS 13 and macOS 10.15, please refer to the following external link: 

Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClGX&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Choose Language