topic Re: Disable TLS 1.0/1.1 for https inspection in Firewall and Security Management

Disable TLS 1.0/1.1 for https inspection

Martin_Raska — Tue, 26 Apr 2022 07:59:43 GMT

Hello,

we are dealing with the issue of how to disable the entire TLS 1.0/1.1 for outbound HTTPS inspection. I know sk126613, but we dont want to disable ciphers but used protocol. Only TLS 1.2 from GW should be allowed. The configuration should be done one GW not clients, that's a different part.

Some ciphers are used both in TLS 1.0/1.1/1.2 eg.

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

so disabling only ciphers is not what we are looking for.

Re: Disable TLS 1.0/1.1 for https inspection

Chris_Atkinson — Tue, 26 Apr 2022 09:16:43 GMT

Recommend discussing this further with TAC, as I recall this needs a change to ssl_min_ver parameter via GuiDBedit.

Re: Disable TLS 1.0/1.1 for https inspection

G_W_Albrecht — Tue, 26 Apr 2022 10:31:25 GMT

https://community.checkpoint.com/t5/General-Topics/Disable-TLS-1-0/m-p/70338/page/2

Re: Disable TLS 1.0/1.1 for https inspection

Martin_Raska — Tue, 26 Apr 2022 10:46:35 GMT

thx, for some reason I miss this one in search box - Disable-TLS-1-0

Re: Disable TLS 1.0/1.1 for https inspection

_Jelle — Tue, 12 Jul 2022 08:57:42 GMT

Hi Martin,

Did you find a answer to your question? I am having the same question right now and it would be great if you could share your findings 🙂 I also recall that you should edit GuiDBedit as @Chriz mentions, but i can't seem to find the correct SK for this particular question.

I also created a TAC case so if you do not have the answer i will repost it here 🙂

Regards,

Jelle

Re: Disable TLS 1.0/1.1 for https inspection

Martin_Raska — Tue, 12 Jul 2022 09:00:40 GMT

Its this - sk107744

Re: Disable TLS 1.0/1.1 for https inspection

_Jelle — Tue, 12 Jul 2022 12:05:56 GMT

Hi Martin,

Thanks for you answer. I find it very strange that there is no exact SK describing how to achieve this for HTTPS inspection in general. Also there is no information about what to do, when this change is applied. For example there is no information about expected behavior... do we need to reboot the gateways for this change to be active? Is there traffic disruption? All is based on assumptions...

To be more exact on your previous answer, i assume that you mean that we have to execute the "workaround" mentioned in this SK?

Regards,

Jelle

Re: Disable TLS 1.0/1.1 for https inspection

_Val_ — Tue, 12 Jul 2022 12:17:19 GMT

@Martin_Raska did you look here? https://community.checkpoint.com/t5/General-Topics/Disable-TLS-1-0/m-p/70338#M14237

Re: Disable TLS 1.0/1.1 for https inspection

_Jelle — Tue, 12 Jul 2022 12:24:41 GMT

Hi @_Val_ ,

FYI, I asked Martin if he could share the solution he found, as you can see above he used a snippet from a Sk107744 that is EOL... Why is it, that there doesn't seem to be a (up-to-date / on the point) valid SK about this topic?

Regards,

Jelle

Re: Disable TLS 1.0/1.1 for https inspection

G_W_Albrecht — Tue, 12 Jul 2022 12:29:20 GMT

sk126613: Cipher configuration tool for Security Gateways

Re: Disable TLS 1.0/1.1 for https inspection

_Jelle — Tue, 12 Jul 2022 14:21:51 GMT

Hi G_W_Albrecht,

Thanks for your response, i am aware of the cipher tool, but disabling a TLS cipher is not the same as disabling the complete tls version...

Is it possible to completely disable TLS1.0/1.1 via the cipher tool? I mean, for example; we can have the cipher string TLS_RSA_WITH_AES_128_CBC_SHA which can be used for both TLS.1.0 and TLS1.2... (LINK)

I think the cipher tool should be extended to also disable the complete protocol or a SK should be available to completely disable these protocols.

Re: Disable TLS 1.0/1.1 for https inspection

_Val_ — Tue, 12 Jul 2022 12:59:19 GMT

Sk107744 is not applicable to later versions, there is a cipher_util for supported versions. Which is dully mentioned in that very SK

Re: Disable TLS 1.0/1.1 for https inspection

_Jelle — Tue, 12 Jul 2022 13:22:19 GMT

@_Val_, the cipher_util is not sufficient enough to achieve my goal if i understand this correctly.

someone can use a specific cipher for both TLS1.0/1.1 and TLS1.2. What I mean by this is that it doesn't matter if you turn certain ciphers on or off without disabling the specific versions. (A good example is disabling TLS version 1.0 via IPS where you disable the entire version) So I am looking for an SK that specifically describes how to disable the TLS1.0 and TLS.1.1 versions without having to use an outdated SK .

Re: Disable TLS 1.0/1.1 for https inspection

G_W_Albrecht — Tue, 12 Jul 2022 13:56:54 GMT

Better select which strong cipher suites should be used. TLS_RSA_WITH_AES_128_CBC_SHA is a weak cipher suite - why ?

- Non-ephemeral Key Exchange:

This key exchange algorithm does not support Perfect Forward Secrecy (PFS) which is recommended, so attackers cannot decrypt the complete communication stream.

- Cipher Block Chaining:

In 2013, researchers demonstrated a timing attack against several TLS implementations using the CBC encryption algorithm (see isg.rhul.ac.uk). Additionally, the CBC mode is vulnerable to plain-text attacks in TLS 1.0, SSL 3.0 and lower. A fix has been introduced with TLS 1.2 in form of the GCM mode which is not vulnerable to the BEAST attack. GCM should be preferred over CBC.

- Secure Hash Algorithm 1:

The Secure Hash Algorithm 1 has been proven to be insecure as of 2017 (see shattered.io).

Re: Disable TLS 1.0/1.1 for https inspection

G_W_Albrecht — Tue, 12 Jul 2022 14:00:04 GMT

My current cipher selection:

SSL Inspection

Enabled:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256

Disabled:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

Re: Disable TLS 1.0/1.1 for https inspection

_Val_ — Tue, 12 Jul 2022 14:21:29 GMT

I believe, we have discussed this multiple times in the community over the years. On top of what was mentioned here already, https://community.checkpoint.com/t5/Security-Gateways/Disable-TLS1-0-Chekcpoint-R80-40/m-p/93023#M7186

I do not think we have an SK for this specific topic though, other than the one mentioned above. Mind, the community team is not running SecureKnowledge. If you need an official document/guidance from Check Point, please open a TAC case.

Re: Disable TLS 1.0/1.1 for https inspection

_Jelle — Tue, 12 Jul 2022 14:32:17 GMT

@_Val_, i understand that the community is not running SK's but my question was if there is any describing my specific question. TAC case was already created but i also wanted to ask the community, because it felt like i was not able to find the correct SK/discussion for this specific question.... Hence this question. FYI the link you provide is regarding the Gaia portal not HTTPS inspection is this correct? Anyway... I will wait for a reply from TAC on this one.. Thanks anyway 🙂

Re: Disable TLS 1.0/1.1 for https inspection

_Jelle — Tue, 12 Jul 2022 14:47:21 GMT

@G_W_Albrecht, Thanks for you answer. This gives a way to indeed get what I'm looking for. But not yet on the initial question. How do I explicitly disable TLS version 1.0/1.1 on versions higher than R77.30?

From sk107744 is this still the correct way?

Connect with SmartDashboard to Security Management Server / Domain Management Server.
~~Go to File menu - click on Database Revision Control... - create a revision snapshot.~~
~~Note: Database Revision Control is not supported for VSX objects (sk65420).~~
Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).
Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.
In the upper left pane, go to Table - Other - ssl_inspection.
In the upper right pane, select general_confs_obj.
Press CTRL+F (or go to Search menu - Find) - paste ssl_min_ver - click on Find Next.
In the lower pane, right-click on the ssl_min_ver - select Edit... - select "TLS1.1" - click on OK:
Save the changes: go to File menu - click on Save All.
Close the GuiDBedit Tool.
Connect with SmartDashboard to Security Management Server / Domain Management Server.
Install the policy onto the relevant Security Gateway / Cluster object.

Or do we need to use the cipher_util to implicitly disable old TLS versions to get the job done? Maybe it's my way of explaining things here but i don't seem to get 1 clear answer for this.

Anyhow, there is a existing TAC case on this 1 so ill wait what they come back with 🙂

Re: Disable TLS 1.0/1.1 for https inspection

Martin_Raska — Wed, 13 Jul 2022 07:55:31 GMT

Hi Val,

this sk107744 and procedure here is the same https://community.checkpoint.com/t5/General-Topics/Disable-TLS-1-0/m-p/70338#M14237

Re: Disable TLS 1.0/1.1 for https inspection

Martin_Raska — Wed, 13 Jul 2022 12:24:36 GMT

I think there should be the SK and guide how to do it. I mean the official way, easy way as other vendors have it quite easy, one command or click in profile and its done.

For CP we need several threads in forum and a couple outdated SKs.