topic Re: SIC initialization still communicates over SSLv3 ? in General Topics

SIC initialization still communicates over SSLv3 ?

Herr_O — Tue, 08 Oct 2024 14:22:53 GMT

Hello everyone,

the sk107166 "TLS1.2 Support Plan for Check Point Products" seems to be vallid and maintained (Last modified
2023-09-11).
I find the note that the SIC initialization still communicates via ssl v3. Is this really the case and if so, why?

Of course it is only the initialization, but I am afraid that this is a topic that I have to discuss with our internal audit department and would like to avoid this 😉

Regards,

Re: SIC initialization still communicates over SSLv3 ?

Tal_Paz-Fridman — Tue, 08 Oct 2024 16:31:21 GMT

R81.10 and higher:

https://support.checkpoint.com/results/sk/sk178505

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Secure-Internal-Communication.htm

Re: SIC initialization still communicates over SSLv3 ?

Herr_O — Wed, 09 Oct 2024 06:40:59 GMT

Thanks for the answer
I know the SIC communication, but my question refers explicitly to the SIC initialization

------

https://support.checkpoint.com/results/sk/sk107166

Notes:

The schedule can be subject to modifications. For most up-to-date information, revisit this page or subscribe to RSS feed (at the top).
Support for TLS 1.2 was integrated since Take 266 of R77.30 Jumbo Hotfix.
- The SIC initialization still communicates over SSLv3.
- For VSX Gateway, refer to sk112014 - "Cannot establish connection to SSL Network Extender gateway. Try to reconnect." error when connecting with SSL Network Extender to Mobile Access Portal on VSX Virtual System after installing the "TLS 1.2 Hotfix for R77.30".
- Before installing Take 266 and higher of R77.30 Jumbo Hotfix, make sure to back up all the current httpd.conf files:
  [Expert@HostName:0]# find / -name httpd.conf -type f
  If any changes were made in the past in the httpd.conf files, then the new httpd.conf files should be edited manually (do NOT overwrite the new files with the backed up files).
- If a connection from a SmartConsole computer to a Security Management Server / Domain Management Server must also be TLS 1.2, then an improved SmartConsole can be provided (otherwise, the communication will be TLS 1.0).
  This requires Take 266 and higher of R77.30 Jumbo Hotfix to be installed on the Security Management Server / Multi-Domain Security Management Server.

Re: SIC initialization still communicates over SSLv3 ?

_Val_ — Wed, 09 Oct 2024 08:40:30 GMT

@Herr_O You are looking into the older SK, while @Tal_Paz-Fridman provided you with the updated information. Initialization is part of SIC, so sk178505 applies.

Now, if you need a stumped official response you could use for the audit, it is advisable to open a TAC ticket for 100% official answer.

Re: SIC initialization still communicates over SSLv3 ?

Tal_Paz-Fridman — Wed, 09 Oct 2024 10:51:13 GMT

I've spoken to R&D owner and SIC initialization uses TLS 1.2 in R81.10 and higher versions.