topic Re: Gaia Portal SSL cipher suites in General Topics

Gaia Portal SSL cipher suites

G_W_Albrecht — Thu, 30 Jun 2022 08:19:33 GMT

sk147272 currently is the suggested procedure to remove vulnerable ssl ciphers and protocols. The sk120774 and sk111307 does a reboot instead of the final steps, sk163542 only shows the current status and sk126613 is using the cipher tool that only works with MultiPortal enabled. I have summed up information from several source to get it discussed here:

1. First, see the active ciphers:

more /web/templates/httpd-ssl.conf.templ | grep SSLCipherSuite
SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5

2. So we know how to ask for TLS versions:

cpopenssl ciphers -v 'HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5' | grep -i tls | awk '{print $2}' | sort --unique
TLSv1
TLSv1.2
TLSv1.3

After a backup of the original template file:

[Expert@HostName:0]# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_ORIGINAL

3. Assign the 'write' permission to the current /web/templates/httpd-ssl.conf.templ file:

[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ

[Expert@HostName:0]# chmod u+w /web/templates/httpd-ssl.conf.templ

[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ

4. Edit the current /web/templates/httpd-ssl.conf.templ file:

[Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ

5. In the section, change:

from:

# SSL Cipher Suite:

# List the ciphers that the client is permitted to negotiate.

# See the mod_ssl documentation for a complete list.

SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5

To:

# SSL Cipher Suite:

# List the ciphers that the client is permitted to negotiate.

# See the mod_ssl documentation for a complete list.

(from sk147272 - used in the following parts): SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

(from sk120774): SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1

Notes:

see the active ciphers:

more /web/templates/httpd-ssl.conf.templ | grep SSLCipherSuite
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

[Expert@HostName:0]# cpopenssl ciphers -v 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1' | grep -i tls | awk '{print $2}' | sort --unique
TLSv1.2
TLSv1.3

Remove the 'write' permission from the /web/templates/httpd-ssl.conf.templ file:

[Expert@HostName:0]# chmod -v u-w /web/templates/httpd-ssl.conf.templ

9. Update the current configuration of the HTTPD daemon based on the modified configuration template:

[Expert@HostName:0]# /bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active

10. Restart the HTTPD daemon:

[Expert@HostName:0]# tellpm process:httpd2

[Expert@HostName:0]# tellpm process:httpd2 t

Re: Gaia Portal SSL cipher suites

Vladimir — Wed, 29 Jun 2022 14:40:17 GMT

@G_W_Albrecht , I suppose it'll work on SMS as well.

Did you try running cipher_util afterwards to see if its output matching your modifications?

Cheers,

Vladimir

Re: Gaia Portal SSL cipher suites

G_W_Albrecht — Thu, 30 Jun 2022 08:24:54 GMT

Yes, this is for GW or SMS. On GW, cipher_util works and shows:

Enabled:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Disabled:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

Re: Gaia Portal SSL cipher suites

Vladimir — Thu, 30 Jun 2022 13:56:20 GMT

Thank you!

Re: Gaia Portal SSL cipher suites

G_W_Albrecht — Thu, 30 Jun 2022 14:01:33 GMT

What puzzles me is the difference here:

(from sk147272): SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

(from sk120774): SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1

What about no Medium:

SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:!MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

Anyone found a link to mod_ssl syntax not from 2001 ?

Re: Gaia Portal SSL cipher suites

Vladimir — Thu, 30 Jun 2022 17:25:33 GMT

I was not looking at it specifically, but let's loop in @PhoneBoy to see if he knows...

Re: Gaia Portal SSL cipher suites

G_W_Albrecht — Fri, 01 Jul 2022 09:02:46 GMT

I found it here: https://httpd.apache.org/docs/current/mod/mod_ssl.html

The interesting part:

Aliases:
`SSLv3`	all SSL version 3.0 ciphers
`TLSv1`	all TLS version 1.0 ciphers
`EXP`	all export ciphers
`EXPORT40`	all 40-bit export ciphers only
`EXPORT56`	all 56-bit export ciphers only
`LOW`	all low strength ciphers (no export, single DES)
`MEDIUM`	all ciphers with 128 bit encryption
`HIGH`	all ciphers using Triple-DES
`RSA`	all ciphers using RSA key exchange
`DH`	all ciphers using Diffie-Hellman key exchange
`EDH`	all ciphers using Ephemeral Diffie-Hellman key exchange
`ECDH`	Elliptic Curve Diffie-Hellman key exchange
`ADH`	all ciphers using Anonymous Diffie-Hellman key exchange
`AECDH`	all ciphers using Anonymous Elliptic Curve Diffie-Hellman key exchange
`SRP`	all ciphers using Secure Remote Password (SRP) key exchange
`DSS`	all ciphers using DSS authentication
`ECDSA`	all ciphers using ECDSA authentication

So combining both from above excluding 128 bit encryption would read:

SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RSA:+HIGH:!ADH:!EXP:!ECDSA:!aECDH:!MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

Re: Gaia Portal SSL cipher suites

just13pro — Mon, 05 Sep 2022 09:42:03 GMT

If I only enabled these 2 ciphers, I am not able to open the Gaia portal.

- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256

Is there anything that I missed?

Re: Gaia Portal SSL cipher suites

G_W_Albrecht — Mon, 05 Sep 2022 11:26:21 GMT

R81.10 has changed the TLS switch and sk147272 now has:

WARNING: This configuration change is NOT COMPATIBLE with R81.10 and newer releases. Performing step 6 above on an R81.10 system will result in management API failure to start.

R81.10 comes out of the box with TLS 1.2 as the lowest enabled TLS version. On R81.10 and newer, please use the clish command to change the supported TLS version:

HOST> set ssl tls TLSv1.3 on
HOST> set ssl tls TLSv1.2 off
HOST> save config
HOST>

Re: Gaia Portal SSL cipher suites

G_W_Albrecht — Mon, 05 Sep 2022 11:46:00 GMT

Maybe you GAiA Portal Cert is SHA-1 from an old installation, see sk108252 ?

Re: Gaia Portal SSL cipher suites

Maher — Tue, 29 Nov 2022 20:25:32 GMT

Hi,

I have a Cloudguard VMSS in Azure, I would like to remove vulnerable cipher suites (as shown in sk147272) for new provisioned GWs in case of Scale Out via CME. Do you have any idea how to do it please?

my cloudguards VMSS are in R81.10

Thanks!

Re: Gaia Portal SSL cipher suites

G_W_Albrecht — Wed, 30 Nov 2022 10:46:47 GMT

No.

Re: Gaia Portal SSL cipher suites

Dmitry_Gorn — Tue, 06 Dec 2022 17:10:56 GMT

It is possible to create a bash script that implements the configurations from the SK and configure it to run on every scaled-out instance.

Please refer to the CME Admin Guide here:

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CME/Content/Topics-CME/CME_Structure_and_Configurations.htm?Highlight=custom%20script

Under "Supported Configuration Template parameters", argument "CUSTOM_GATEWAY_SCRIPT".

Regards,

Dmitry

Re: Gaia Portal SSL cipher suites

Robin_H — Tue, 16 Jan 2024 15:21:13 GMT

Are there scenarios where this "manual disabling of TLSv1.x" is needed even after sk154532 is applied where snx_ssl_min_ver has already been set to TLS1.2?

Re: Gaia Portal SSL cipher suites

CPnoob — Thu, 21 Mar 2024 08:11:50 GMT

Does this fix of the cypher suites apply to a R77.30?
I know it is old and I an trying to push a new box in, but untill then.

Re: Gaia Portal SSL cipher suites

G_W_Albrecht — Thu, 21 Mar 2024 09:48:43 GMT

I do not know of such scenarios nor why they should exist, so you would have to look for yourself...

Re: Gaia Portal SSL cipher suites

G_W_Albrecht — Thu, 21 Mar 2024 10:10:07 GMT

R77.30 is out of support since September 2019, so Gaia SSL Cipher suites are the least important issue - as IPS, AV, URLF and all other TP will not work, this can not be called a security solution! See https://support.checkpoint.com/results/sk/sk111307 about how to do this.