Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gregory_Link
Contributor
Jump to solution

SSL Inspection Broken - Wikipedia

All,

It seems we've always had issues off and on with Checkpoints SSL Inspection and are routinely needing to bypass sites/IPs on a regular basis, so thought I would reach out to see if this is the norm or if I'm missing something.  How are other people handling this?

A great example came up today with Wikipedia (see below). 

We are running RR77.30 - Build 092   

   HOTFIX_R77_30
   HOTFIX_GEYSER_PINK6_HF
   HOTFIX_R77_30_HF5_PINK_PERF_003
   HOTFIX_GEYSER_HF_BASE_861
   HOTFIX_R77_30_JUMBO_HF    Take: 286
  HOTFIX_R77_30_JHF_T280_240

Your Browser's Connection Security is Outdated


English: Wikipedia is making the site more secure. You are using an old web browser that will not be able to connect to Wikipedia in the future. Please update your device or contact your IT administrator.

We are removing support for non forward secret ciphers, specifically AES128-SHA, which your browser software relies on to connect to our sites. This is usually caused by using some ancient browsers or user agents like old Nokia smartphones or Sony Playstation3 gaming consoles. Also it could be interference from corporate or personal "Web Security" software which actually downgrades connection security.

You must upgrade your browser or otherwise fix this issue to access our sites. This message will remain until Aug 1, 2018. After that date, your browser will not be able to establish a connection to our servers at all.

1 Solution

Accepted Solutions
Henrique_Sauer_
Contributor

Hello Gregory,

Have a look at this sk:

This can be helpfull too:

Are this parameters enabled in you gateway?

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDHE 1
ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_EC_P384 1
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_RI_AS_CLIENT_EXT 1
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDSA 1

You should check running this command:

cat $CPDIR/registry/HKLM_registry.data | grep -i cptls

Regars

View solution in original post

0 Kudos
4 Replies
Henrique_Sauer_
Contributor

Hello Gregory,

Have a look at this sk:

This can be helpfull too:

Are this parameters enabled in you gateway?

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDHE 1
ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_EC_P384 1
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_RI_AS_CLIENT_EXT 1
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDSA 1

You should check running this command:

cat $CPDIR/registry/HKLM_registry.data | grep -i cptls

Regars

0 Kudos
Gregory_Link
Contributor

Hi Henrique,

The command you provided returned 0 results on both of our firewalls.  Does that then mean these parameters need to be added?  If so, will this have any adverse impact?

Thanks,

Greg Link

0 Kudos
Henrique_Sauer_
Contributor

No, it wont have any impact:


Try to add them and check again:


To add

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDHE 1

ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_EC_P384 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_RI_AS_CLIENT_EXT 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDSA 1


On both gateways.


cpstop;costart required


To delete if you want:


ckp_regedit -d SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDHE

ckp_regedit -d SOFTWARE//CheckPoint//FW1 CPTLS_EC_P384

ckp_regedit -d SOFTWARE\\CheckPoint\\FW1 CPTLS_RI_AS_CLIENT_EXT

ckp_regedit -d SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDSA



Regards dear and hope it helps

0 Kudos
PhoneBoy
Admin
Admin

Based on the number of threads we see on CheckMates related to this topic, you're not alone.

There are some HTTPS Inspection improvements in later versions of the Jumbo Hotfix that you may wish to investigate.

We are also working on improvements in later releases.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events