This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ryan_Ryan
Advisor
‎2021-10-20 12:30 AM
Jump to solution

Disable SSLv3 on CPCA

Hi I am following:

https://dl3.checkpoint.com/paid/7a/7ab66b38bbe0505e3933c89fe00b020d/CP_CloudServices_AdminGuide_2.5....

to setup LTA between our cloud and the onprem log server. I am stuck at the point of pulling the cert from the manager to the log server. Running the script does it for you, also the document details how to do it manually, however both fail with the same error:

Opsec error. rc=-1 err=-100 General error in Certificate Authority

(command: opsec_pull_cert )

I did a tcpdump on the traffic, what I am seeing is the log server trying to establish an SSLv3 connection to the manager on port 18210, and the session tanks out with a handshake failed. I suspect the manager is refusing to communicate on sslv3, is there anyway I can turn off sslv3 on the log server? I have it already disabled on the webserver, I am not sure where this setting would be, or alternatively can I enable it temporarily on the manager to get the cert pushed?

 

0 Kudos
1 Solution

Accepted Solutions
Ryan_Ryan
Advisor
‎2021-10-20 04:02 PM
Jump to solution

Ok I have a solution/workaround, but its an issue CP will need to fix.

 

the LTA.tgz file on the cloud portal contains an outdated version of "opsec_pull_cert" and "opsec_pull_cert.exe", this version only seems to support sslv3. The way to resolve it is on your log server run this:

find /  -name opsec_pull_cert

and find the version bundled with log exporter (on my R80.40 it was in /opt/CPrt-R80.40/log_indexer/opsec_pull_cert)

Copy that binary file, and overwrite it in the LTA extracted folder, now when you run ./LTA run the fetch certificate process will work and use tls1.x because its using the newer opsec_pull_cert binary

 

View solution in original post

0 Kudos
1 Reply
Ryan_Ryan
Advisor
‎2021-10-20 04:02 PM
Jump to solution

Ok I have a solution/workaround, but its an issue CP will need to fix.

 

the LTA.tgz file on the cloud portal contains an outdated version of "opsec_pull_cert" and "opsec_pull_cert.exe", this version only seems to support sslv3. The way to resolve it is on your log server run this:

find /  -name opsec_pull_cert

and find the version bundled with log exporter (on my R80.40 it was in /opt/CPrt-R80.40/log_indexer/opsec_pull_cert)

Copy that binary file, and overwrite it in the LTA extracted folder, now when you run ./LTA run the fetch certificate process will work and use tls1.x because its using the newer opsec_pull_cert binary

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top