topic Re: Linux users are not able to connect to SNX after removing weak ciphers in SASE and Remote Access

Linux users are not able to connect to SNX after removing weak ciphers

AngelS — Mon, 22 May 2023 08:56:40 GMT

Hi all!
After disabling some weak ciphers users on Linux and MAC are not able to connect to SSLVPN.

Firewall OS version: R81.10
User's OS: Ubuntu 22.04
SNX agent on Users's PC: 800008304
openssl version: 3.0.2

Weak ciphers being disabled are:

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Weak ciphers were disabled according sk126613 (https://support.checkpoint.com/results/sk/sk126613#20)

All users using Windows can connect to SSLVPN, all users using Checkpoint Mobile client also can connect. (The ones using SSLVPN are not allowed to use Checkpoint Mobile client due to Compliance prerequisites - they are working with their personal PCs).

nsx.elg debug shows following 5 ciphers on nsx's ciphers list:

[ 80536 -138049728]@user[20 May 22:27:43] Cipher List:
[ 80536 -138049728]@user[20 May 22:27:43] 0: AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
[ 80536 -138049728]@user[20 May 22:27:43] 1: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
[ 80536 -138049728]@user[20 May 22:27:43] 2: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
[ 80536 -138049728]@user[20 May 22:27:43] 3: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
[ 80536 -138049728]@user[20 May 22:27:43] 4: DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

My guess is changing this list will solve the issue.
So is there any way this nsx cipher list to be changed?

Regards!

Re: Linux users are not able to connect to SNX after removing weak ciphers

Alex- — Mon, 22 May 2023 19:28:44 GMT

I had this issue a while back. Basically there are much more methods implemented in the Windows client than in the MAC/Linux ones. At least the Mac, I haven't used the Linux yet but I would assume they're similar.

RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2 (ietf.org) section 9 defines that TLS_RSA_WITH_AES_128_CBC_SHA is mandatory and with the clients you mentioned it seems to be a limitation of non-Windows clients, by adding TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA MAC, clients could connect again.

Re: Linux users are not able to connect to SNX after removing weak ciphers

PhoneBoy — Mon, 22 May 2023 22:04:35 GMT

This SK says this is currently an RFE: https://support.checkpoint.com/results/sk/sk180837

Re: Linux users are not able to connect to SNX after removing weak ciphers

the_rock — Mon, 22 May 2023 22:20:28 GMT

@PhoneBoy is 100% right...had customer in the past work with TAC and they were told exact same thing, it is an RFE.

Andy

Re: Linux users are not able to connect to SNX after removing weak ciphers

AngelS — Tue, 23 May 2023 07:40:39 GMT

Thank you all! I was hoping for some easy solution (like pushing a config setting here and there 🙂 Still this perfectly explains why this issue occured. I guess we will keep these ciphers (although security scans state they are weak) at least until RFE becomes a vital SNX client option.

Cheers mates!