Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
John_Fleming
Advisor
Jump to solution

Legacy Client auth SSL/TLS version

I'm trying to track down how to get legacy client authentication to disable SSLv2/v3 TLS1.0 and TLS1.1. I found

 

sk102989 - Check Point response to the POODLE Bites vulnerability (CVE-2014-3566)

and

sk100584 - Cipher strength for Client Authentication feature is under 128-bit and there is no way to control which SSL version to use

 

both basically say to set ASSL_NO_SSLV2=1 and ASSL_NO_SSLV3=1 (how they say to set them is a little different but end result looks the same).

However sk100584 also says how to disable TLS1.0 (but not TLS 1.1 ?) but also says you can't disable all three.

 

I'm a little confused what is the proper way to disable the insecure protocols here. My goal would be to only support TLS1.2 for client auth. Yes, I know captive portal would be better but we're not in a place where we can move everything yet.

0 Kudos
1 Solution

Accepted Solutions
Nachum_Moshe
Employee
Employee
Client authentication supports only TLS and SSLv3.  SSLv2 is not supported.
We have 2 relevant flags within this legacy feature: TLS and SSLv3.
TLS is enabled by default. To disable it, need to configure ASSL_NO_TLS=1. There is no option to distinguish between TLS versions.
As for SSLv3, 
from R80.40, SSLv3 is disabled by default. To enable it, need to configure ASSL_NO_SSLV3=0.
before R80.40, on Jumbos, SSLv3 is enabled by default. To disable it, need to configure ASSL_NO_SSLV3=1.
Nachum
GM, Web Security Framework.

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

As you probably know, Client Auth is a legacy feature.
Not sure if fixing Client Auth falls under @Royi_Priov ’s team or not.
That said, understanding the precise use case for Client Auth may be useful so we can make Identity Awareness support it.

0 Kudos
Royi_Priov
Employee
Employee

@Nachum_Moshe can you please assist?

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Nachum_Moshe
Employee
Employee
Client authentication supports only TLS and SSLv3.  SSLv2 is not supported.
We have 2 relevant flags within this legacy feature: TLS and SSLv3.
TLS is enabled by default. To disable it, need to configure ASSL_NO_TLS=1. There is no option to distinguish between TLS versions.
As for SSLv3, 
from R80.40, SSLv3 is disabled by default. To enable it, need to configure ASSL_NO_SSLV3=0.
before R80.40, on Jumbos, SSLv3 is enabled by default. To disable it, need to configure ASSL_NO_SSLV3=1.
Nachum
GM, Web Security Framework.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events