Disable SSLv3 on CPCA

Ryan_Ryan — Wed, 20 Oct 2021 07:30:15 GMT

Hi I am following:

https://dl3.checkpoint.com/paid/7a/7ab66b38bbe0505e3933c89fe00b020d/CP_CloudServices_AdminGuide_2.5.pdf?HashKey=1634714374_18847c131f7a7abdb9f522f26491882d&xtn=.pdf

to setup LTA between our cloud and the onprem log server. I am stuck at the point of pulling the cert from the manager to the log server. Running the script does it for you, also the document details how to do it manually, however both fail with the same error:

Opsec error. rc=-1 err=-100 General error in Certificate Authority

(command: opsec_pull_cert )

I did a tcpdump on the traffic, what I am seeing is the log server trying to establish an SSLv3 connection to the manager on port 18210, and the session tanks out with a handshake failed. I suspect the manager is refusing to communicate on sslv3, is there anyway I can turn off sslv3 on the log server? I have it already disabled on the webserver, I am not sure where this setting would be, or alternatively can I enable it temporarily on the manager to get the cert pushed?

Re: Disable SSLv3 on CPCA

Ryan_Ryan — Wed, 20 Oct 2021 23:02:37 GMT

Ok I have a solution/workaround, but its an issue CP will need to fix.

the LTA.tgz file on the cloud portal contains an outdated version of "opsec_pull_cert" and "opsec_pull_cert.exe", this version only seems to support sslv3. The way to resolve it is on your log server run this:

find / -name opsec_pull_cert

and find the version bundled with log exporter (on my R80.40 it was in /opt/CPrt-R80.40/log_indexer/opsec_pull_cert)

Copy that binary file, and overwrite it in the LTA extracted folder, now when you run ./LTA run the fetch certificate process will work and use tls1.x because its using the newer opsec_pull_cert binary

topic Re: Disable SSLv3 on CPCA in General Topics

Disable SSLv3 on CPCA

Re: Disable SSLv3 on CPCA