I have Peplink Balance 20 that is failing PCI compliance due to “Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32”.
How can this be disabled?
From the PCI scan:
This is a cipher vulnerability, not limited to any specific SSL/TLS software implementation. DES and Tripple DES (3DES) block ciphers with a block size of 64 bits, have a birthday bound of approximately 4 billion blocks (or 2 to the power of 32, hence the name of this vulnerability). A man-in-the-middle (MitM) attacker, who is able to capture a large amount of encrypted network traffic, can recover sensitive plain text data.
This issue can by avoided by disabling block ciphers of 64 bit length (like DES/3DES) in all the SSL/TLS servers. Exact procedure depends on the actual implementation. Please refer to the documentation of your SSL/TLS server software and actual service software (http server, mail server, etc).