- Products
- Learn
- Local User Groups
- Partners
- More
What's New in R82.10?
Watch HereWhen the Agents Attack
A Live Look at Agentic Exposure Validation
AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
CheckMates Fest
Hi
I have used the following two SKs to disable a number of ciphers and limited to TLS1.2
SK126613: Change the ciphersuite using cipher utility
SK147272: Change the cipher suite settings in httpd-ssl.conf.templ
They were successful, up to a certain point. That point is the remove of further "weak" ciphers (TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA), which my security team identified as static cipher suites.
I've tried to reapply these SKs but when I run nmap, the three ciphers still return.
For SK147272, we had replaced the existing ciphersuite as proposed by the SK “SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1” to
“ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK”
But nothing helped. Anyone has any clue? I have raised this to TAC but no updates yet.
Presumably, you followed all the steps in the SK (including the part where you restart httpd)?
Can you PM me the relevant SR number?
Hi, I don't have the SR number as it was handled by a third party. But yeah, have restarted the httpd, and pushed the policy, and even did a cpstop;cpstart for good measure.
Your partner should be able to provide the Check Point SR number on request.
Here is the SR number: 6-0002439886
In vpn_cipher_priority.conf, you should probably only have the following two ciphers in the allowed section (at least according to the latest case notes):
:ECDHE-RSA-AES128-GCM-SHA256
:ECDHE-ECDSA-AES128-GCM-SHA256
FYI, in R80.40, we upgraded some of the crypto infrastructure and it might be worth upgrading to leverage more current crypto ciphers.
From R80.30, we have a CLI too (cipher_util) to make it easier to enable/disable ciphers.
R80.10 is nearing End of Support and suggest planning to upgrade.
Thanks, mate! Let me test it out and report the results here. Yes, upgrading to R80.40 is in the pipeline due to the EOS.
Edit: No joy. But the similar results are making me guessing that the registry update or install policy is not working? I tried the debug options under the Troubleshooting section but I was not able to see any logs pertaining to vpnd.elg / cptls_params_reorder_ciphers
Edit (2): do note, the following setting will cause the Checkpoint VPN to be unable to connect.
Changing the vpn_cipher_priority.conf does not seem to help; in any case, this affects the Endpoint VPN client connection, rather than standard HTTPS/443, which was what nmap was looking at.
The VPN client will be unable to connect if I remove these: TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA. Luckily, one of our guys were still connected and was able to undo the changes.
TAC's advise is after the two SKs, there is nothing else they can do, and upgrade seems to be my only option.
Agree that upgrading is probably a good idea here, especially given R80.10 is nearing its End of Support date.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 66 | |
| 22 | |
| 7 | |
| 6 | |
| 5 | |
| 4 | |
| 4 | |
| 3 | |
| 2 | |
| 2 |
Thu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASEThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY