Trouble with the MACs after hardening Cypers/TLS/SSL

MaxGutberletRM — Tue, 31 Aug 2021 15:03:06 GMT

Hello community,

as part of PCI certification we have lately hardened our FW and removed a couple of legacy things - including e.g. support for SSLv3.

Now I have a couple of MACs who can no longer connect to the VPN - track.log looks like this:

[ 688 0x201c99e00][31 Aug 16:16:38][talkssl] talkssl::client_handler: start ssl negotaition

[ 688 0x201c99e00][31 Aug 16:16:38][talkssl] talkssl::client_handler: start openSSL negotaition

[ 688 0x201c99e00][31 Aug 16:16:38][] ckpSSL_PrepareConnection: verify mode: 0

[ 688 0x201c99e00][31 Aug 16:16:38][] My SSL Ciphers:

[ 688 0x201c99e00][31 Aug 16:16:38][] Cipher List:

[ 688 0x201c99e00][31 Aug 16:16:38][] 0: AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1

[ 688 0x201c99e00][31 Aug 16:16:38][] 1: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1

[ 688 0x201c99e00][31 Aug 16:16:38][] 2: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

[ 688 0x201c99e00][31 Aug 16:16:38][talkssl] talkssl::client_handler: Returning OK!!!

[ 688 0x201c99e00][31 Aug 16:16:38][proxy_wrapper] ProxyWrapper::CloseProxyConn: Starting ...

[ 688 0x201c99e00][31 Aug 16:16:38][proxy_wrapper] ProxyWrapper::CancelConnect: Starting ...

[ 688 0x201c99e00][31 Aug 16:16:38][proxy_wrapper] ProxyWrapper::CancelConnect: Proxy connection is in init state. Cannot cancel connection

[ 688 0x201c99e00][31 Aug 16:16:38][] ckpSSL_NegotiateStep: current state = before/connect initialization

[ 688 0x201c99e00][31 Aug 16:16:38][] ckpSSL_NegotiateStep: should retry.

[ 688 0x201c99e00][31 Aug 16:16:38][] ckpSSL_NegotiateStep: current state = SSLv2/v3 read server hello A

[ 688 0x201c99e00][31 Aug 16:16:38][] SSL e stack

[ 688 0x201c99e00][31 Aug 16:16:38][] 688:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:757

Now the obvious question: why is the MAC Client only trying to connect using SSLv3 ? Surely Is this a left over from previous configs ? We tried deinstall/install but no success.

My cypher list is now:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Any help appreciated.

Regards

Re: Trouble with the MACs after hardening Cypers/TLS/SSL

PhoneBoy — Mon, 06 Sep 2021 22:53:43 GMT

What precise client is connecting?
What precise version of it?

Re: Trouble with the MACs after hardening Cypers/TLS/SSL

Alex- — Tue, 07 Sep 2021 07:02:53 GMT

Try by adding back TLS_RSA_WITH_AES_128_CBC_SHA to comply with the minimum specifications of the TLS 1.2 RFC.

I had an issue where MAC's wouldn't connect and this solved it.

As your logs show, the MAC client is expecting at least these suites:

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5

But it should do with the AES ones.

Re: Trouble with the MACs after hardening Cypers/TLS/SSL

MaxGutberletRM — Wed, 08 Sep 2021 09:45:54 GMT

This ! I re-enabled the AES-256 ciphers and it worked How do we turn this into a feature Request "MAC Client should be able to connect without RSA based cipher algorithms" ?

topic Re: Trouble with the MACs after hardening Cypers/TLS/SSL in SASE and Remote Access

Trouble with the MACs after hardening Cypers/TLS/SSL

Re: Trouble with the MACs after hardening Cypers/TLS/SSL

Re: Trouble with the MACs after hardening Cypers/TLS/SSL

Re: Trouble with the MACs after hardening Cypers/TLS/SSL