https://community.checkpoint.com/t5/General-Topics/Enforcing-TLS-level-with-Inbound-HTTPS-Inspection/m-p/277110#M46194 <P>Good Catch, indeed it is T183.</P> <P>Gateways are slated for upgrade to R82 in the next month - I will definitely make a note to see if the findings are still valid.</P> Tue, 19 May 2026 13:28:27 GMT Ruan_Kotze 2026-05-19T13:28:27Z https://community.checkpoint.com/t5/General-Topics/Enforcing-TLS-level-with-Inbound-HTTPS-Inspection/m-p/277102#M46190 <P>Good Day,</P> <P>I have an interesting scenario and my research is giving me conflicting answers.</P> <P>I am publishing a webserver through an R81.10 T190 gateway (Managed by an R82 SMS).&nbsp; Inbound HTTPS inspection has been configured and is working well.&nbsp; There is one interesting aspect to my the https inspection rulebase.&nbsp; The webserver has a single IP but hosts multiple websites sitting on different domains (thus I cannot make use of wildcard certificates).&nbsp; In order to get inspection working I've had to add a custom application definition to the the inspection policy, like so:</P> <DIV id="tinyMceEditorRuan_Kotze_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorRuan_Kotze_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorRuan_Kotze_2" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2026-05-19 142557.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/34262iF48C0912ABC21AF0/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2026-05-19 142557.png" alt="Screenshot 2026-05-19 142557.png" /></span></P> <P>This works well and allows me to inspect all sites.The backend webserver is hardened and configured to reject all TLS versions below 1.2.</P> <P>My challenge is as soon as I enable inspection security scanners flag the sites as accepting connections TLS 1.0 and higher.</P> <P>Here is where things get curious - running cipher_util and selecting SSL Inspection is only showing me TLS 1.2 and TLS 1.3 ciphers.&nbsp; In the old days we could set the&nbsp;<EM><STRONG>ssl_min_ver</STRONG></EM><SPAN>&nbsp; using GuiDBedit, but I believe that has been deprecated. For what it's worth the setting there is TLS1.0 and TLS1.2 for ssl_min_ver and ssl_max_ver respectively.</SPAN></P> <P><SPAN>Why would my gateway be offering these deprecated ciphers (considering it's disabled on the back-end site), and how to correct it?</SPAN></P> <P><SPAN>Thanks,<BR />Ruan</SPAN></P> Tue, 19 May 2026 12:55:49 GMT https://community.checkpoint.com/t5/General-Topics/Enforcing-TLS-level-with-Inbound-HTTPS-Inspection/m-p/277102#M46190 Ruan_Kotze 2026-05-19T12:55:49Z https://community.checkpoint.com/t5/General-Topics/Enforcing-TLS-level-with-Inbound-HTTPS-Inspection/m-p/277104#M46191 <P>Quick Update,</P> <P>3 new datapoints:<BR />The gateways still obeys the&nbsp;ssl_min_ver parameter. I raised the min_ver to 1.1 and this reflected in my scan result.<BR />Conversely, ssl_max_ver is not obeyed. Despite it set to 1.2 (no option exists for 1.3) scans correctly show the website as offering 1.3<BR />Setting the access policy Service to TLS1.2 (as opposed to HTTPS) surprisingly has no impact on scan result.</P> <P>Thanks,<BR />Ruan</P> Tue, 19 May 2026 13:15:30 GMT https://community.checkpoint.com/t5/General-Topics/Enforcing-TLS-level-with-Inbound-HTTPS-Inspection/m-p/277104#M46191 Ruan_Kotze 2026-05-19T13:15:30Z https://community.checkpoint.com/t5/General-Topics/Enforcing-TLS-level-with-Inbound-HTTPS-Inspection/m-p/277109#M46193 <P>please share correct version number and take number T183 is latest version for R81.10 that is now EOL</P> Tue, 19 May 2026 13:25:50 GMT https://community.checkpoint.com/t5/General-Topics/Enforcing-TLS-level-with-Inbound-HTTPS-Inspection/m-p/277109#M46193 Lesley 2026-05-19T13:25:50Z https://community.checkpoint.com/t5/General-Topics/Enforcing-TLS-level-with-Inbound-HTTPS-Inspection/m-p/277110#M46194 <P>Good Catch, indeed it is T183.</P> <P>Gateways are slated for upgrade to R82 in the next month - I will definitely make a note to see if the findings are still valid.</P> Tue, 19 May 2026 13:28:27 GMT https://community.checkpoint.com/t5/General-Topics/Enforcing-TLS-level-with-Inbound-HTTPS-Inspection/m-p/277110#M46194 Ruan_Kotze 2026-05-19T13:28:27Z https://community.checkpoint.com/t5/General-Topics/Enforcing-TLS-level-with-Inbound-HTTPS-Inspection/m-p/277124#M46195 <P>I would upgrade first and then see what ssllabs will report regarding ssl ciphers after that follow indeed the cipher tool. Note there are many changes done in R82 for https inspection:&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 542px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/34265i3504EFF68C98DB5C/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Tue, 19 May 2026 14:52:04 GMT https://community.checkpoint.com/t5/General-Topics/Enforcing-TLS-level-with-Inbound-HTTPS-Inspection/m-p/277124#M46195 Lesley 2026-05-19T14:52:04Z