https://community.checkpoint.com/t5/Firewall-and-Security-Management/Legacy-Client-auth-SSL-TLS-version/m-p/94919#M7367 <P>I'm trying to track down how to get legacy client authentication to disable SSLv2/v3 TLS1.0 and TLS1.1. I found</P><P>&nbsp;</P><P>sk102989 -&nbsp;Check Point response to the POODLE Bites vulnerability (CVE-2014-3566)</P><P>and</P><P>sk100584 -&nbsp;Cipher strength for Client Authentication feature is under 128-bit and there is no way to control which SSL version to use</P><P>&nbsp;</P><P>both basically say to set&nbsp;ASSL_NO_SSLV2=1 and ASSL_NO_SSLV3=1 (how they say to set them is a little different but end result looks the same).</P><P>However sk100584 also says how to disable TLS1.0 (but not TLS 1.1 ?) but also says you can't disable all three.</P><P>&nbsp;</P><P>I'm a little confused what is the proper way to disable the insecure protocols here. My goal would be to only support TLS1.2 for client auth. Yes, I know captive portal would be better but we're not in a place where we can move everything yet.</P> Sat, 22 Aug 2020 06:56:03 GMT John_Fleming 2020-08-22T06:56:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Legacy-Client-auth-SSL-TLS-version/m-p/94919#M7367 <P>I'm trying to track down how to get legacy client authentication to disable SSLv2/v3 TLS1.0 and TLS1.1. I found</P><P>&nbsp;</P><P>sk102989 -&nbsp;Check Point response to the POODLE Bites vulnerability (CVE-2014-3566)</P><P>and</P><P>sk100584 -&nbsp;Cipher strength for Client Authentication feature is under 128-bit and there is no way to control which SSL version to use</P><P>&nbsp;</P><P>both basically say to set&nbsp;ASSL_NO_SSLV2=1 and ASSL_NO_SSLV3=1 (how they say to set them is a little different but end result looks the same).</P><P>However sk100584 also says how to disable TLS1.0 (but not TLS 1.1 ?) but also says you can't disable all three.</P><P>&nbsp;</P><P>I'm a little confused what is the proper way to disable the insecure protocols here. My goal would be to only support TLS1.2 for client auth. Yes, I know captive portal would be better but we're not in a place where we can move everything yet.</P> Sat, 22 Aug 2020 06:56:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Legacy-Client-auth-SSL-TLS-version/m-p/94919#M7367 John_Fleming 2020-08-22T06:56:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Legacy-Client-auth-SSL-TLS-version/m-p/94933#M7368 <P>As you probably know, Client Auth is a legacy feature.<BR />Not sure if fixing Client Auth falls under&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/8232">@Royi_Priov</a>&nbsp;’s team or not.<BR />That said, understanding the precise use case for Client Auth may be useful so we can make Identity Awareness support it.</P> Sat, 22 Aug 2020 15:40:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Legacy-Client-auth-SSL-TLS-version/m-p/94933#M7368 PhoneBoy 2020-08-22T15:40:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Legacy-Client-auth-SSL-TLS-version/m-p/94995#M7370 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7484">@Nachum_Moshe</a>&nbsp;can you please assist?</P> Mon, 24 Aug 2020 06:04:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Legacy-Client-auth-SSL-TLS-version/m-p/94995#M7370 Royi_Priov 2020-08-24T06:04:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Legacy-Client-auth-SSL-TLS-version/m-p/95036#M7371 <H5>Client authentication supports only TLS and SSLv3.&nbsp; SSLv2 is not supported.</H5> <H5>We have 2 relevant flags within this legacy feature: TLS and SSLv3.</H5> <H5>TLS is enabled by default. To disable it, need to configure ASSL_NO_TLS=1. There is no option to distinguish between TLS versions.</H5> <H5>As for SSLv3,&nbsp;</H5> <H5>from R80.40<STRONG><U>,</U></STRONG>&nbsp;SSLv3 is disabled by default. To enable it, need to configure ASSL_NO_SSLV3=0.</H5> <H5>before R80.40, on Jumbos,&nbsp;SSLv3 is enabled by default. To disable it, need to configure ASSL_NO_SSLV3=1.</H5> <H5>Nachum</H5> <H5>GM, Web Security Framework.</H5> Mon, 24 Aug 2020 11:32:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Legacy-Client-auth-SSL-TLS-version/m-p/95036#M7371 Nachum_Moshe 2020-08-24T11:32:26Z