topic Re: SSLv2.0 and R80.20 in General Topics

SSLv2.0 and R80.20

ed300zx — Wed, 25 Sep 2019 15:36:24 GMT

Hello All,

We turned on SSL Inspection on R80.20 and basically everything in our environment crashed. Looking at the logs it showed that majority of the drops were SSLv2.0 is not supported. I saw sk108654, however was notified by Checkpoint support that there is no hotfix for R80.20. There are too many sites that are using SSLv2.0 so a workaround is needed in our environment. Is there anyway to bypass all SSLv2.0 traffic other than based on category?

Re: SSLv2.0 and R80.20

PhoneBoy — Wed, 25 Sep 2019 17:37:41 GMT

You can do bypass by IP address for sites you know use SSLv2.

Re: SSLv2.0 and R80.20

ed300zx — Wed, 25 Sep 2019 17:56:13 GMT

I did an export of the logs and it showed more than 65k IP's that were SSLv2. It brought down Skype, Outlook and internal sites. Can we bypass based on applications such as Skype, Outlook?

Re: SSLv2.0 and R80.20

Wolfgang — Wed, 25 Sep 2019 19:41:26 GMT

Ed300zx,

I‘m thinking your problem isn‘t related to SSLv2.0 .

None of your mentioned sites is using SSLv2, these is an unsecure protocol and should not used by the website owners. And most of the common owners doesn‘t.

Are you really sure that outlook and Skype in your connections is using SSLv2 ?

Maybee the logs are showing something wrong...can you please provide one ?

Did you opened a TAC case to check this behaviour ?

Wolfgang

Re: SSLv2.0 and R80.20

ed300zx — Wed, 25 Sep 2019 19:52:10 GMT

Well correction, Skype and Outlook went down due to expired certs. SSLv2 has to do with internal sites we have. Totally agree SSLv2 is insecure and should not be used. But its a up hill battle with the web app team. So trying to figure out a work around.

Re: SSLv2.0 and R80.20

ed300zx — Wed, 25 Sep 2019 20:29:10 GMT

sk112214 - Several HTTPS web sites and applications might not work properly when HTTPS Inspection is enabled on Security Gateway. I guess found my answer. 🙂