https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-ECDHE/m-p/33240#M6970 <HTML><HEAD></HEAD><BODY><P><A class="link-titled" href="https://www.ssllabs.com/ssl-pulse/" title="https://www.ssllabs.com/ssl-pulse/">Qualys SSL Labs - SSL Pulse</A>&nbsp;?</P></BODY></HTML> Fri, 05 Oct 2018 03:32:05 GMT Ofir_Shikolski 2018-10-05T03:32:05Z https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-ECDHE/m-p/33239#M6969 <HTML><HEAD></HEAD><BODY><P>Hi guys,</P><P></P><P>Symptoms here are, with HTTPS inspection enabled on an R77.30 gateway, I have had quite a few sites not working, ("connection terminated")&nbsp;</P><P></P><P>The workaround I have been using, was to put a bypass for the IP address of the site in position #1 in the policy (Putting a bypass by regex matching URl does not fix it). As the number of sites has growing, I need a proper fix. I have found all the offending sites seem to be offering&nbsp;TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as their first preference.&nbsp;</P><P></P><P>I found&nbsp;<SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">sk110883 which seems to relate. As I am running take 317. I believe all I need to do is the registry change to support 384 and reboot.&nbsp;</SPAN></P><P><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">&nbsp;</SPAN></P><P><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">It looks like I have two options though:</SPAN></P><P></P><UL><LI><P>To prefer / propose ECDHE cipher suites:</P><OL type="A"><LI><EM><STRONG>[Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_ACCEPT_ECDHE 1</STRONG></EM></LI><LI><EM><STRONG>[Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_PROPOSE_ECDHE 1</STRONG></EM></LI></OL></LI><LI><P>To prefer / propose ECDSA cipher suites:</P><OL type="A"><LI><EM><STRONG>[Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_ACCEPT_ECDSA 1</STRONG></EM></LI><LI><EM><STRONG>[Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_PROPOSE_ECDSA 1</STRONG></EM></LI></OL></LI></UL><P></P><P></P><P>I presume I would choose ECDHE and just run those two lines, is there any potential for breaking&nbsp;sites using ECDSA?</P><P></P><P>thanks</P></BODY></HTML> Fri, 05 Oct 2018 02:11:49 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-ECDHE/m-p/33239#M6969 Ryan_Ryan 2018-10-05T02:11:49Z https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-ECDHE/m-p/33240#M6970 <HTML><HEAD></HEAD><BODY><P><A class="link-titled" href="https://www.ssllabs.com/ssl-pulse/" title="https://www.ssllabs.com/ssl-pulse/">Qualys SSL Labs - SSL Pulse</A>&nbsp;?</P></BODY></HTML> Fri, 05 Oct 2018 03:32:05 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-ECDHE/m-p/33240#M6970 Ofir_Shikolski 2018-10-05T03:32:05Z https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-ECDHE/m-p/33241#M6971 <HTML><HEAD></HEAD><BODY><P>So after making the change I had some improvements, some websites that were previously broken started working without needing an https bypass.</P><P></P><P>However I found some sites still don't load unless specially bypassed by IP address.</P><P></P><P>When I look at the first cipher offered by the website, it reports:</P><P>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</P><P></P><P>When I look at this page of supported ciphers:</P><P><A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk104562" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk104562">Supported cipher suites for HTTPS Inspection</A>&nbsp;</P><P>we can see that its specifically not supported. So my question is, what exactly can we do about it? I'm going to end up with 100's of websites in my bypass rule, and as we have to do it via IP, anytime a site changes IP or one that uses CDN its going to break again.</P><P></P><P>It makes sense that the bypass doesn't work by url regex (it can't see the url yet because it doesn't understand how to negotiate a secure connection).</P><P></P><P>Are there plans to add support for these ciphers, or some way to configure the checkpoint to try and down negotiate to a supported cipher?</P></BODY></HTML> Thu, 11 Oct 2018 05:13:10 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-ECDHE/m-p/33241#M6971 Ryan_Ryan 2018-10-11T05:13:10Z