Solved: Disable TLS 1.0

JG · ‎2019-12-12

I'm asking this question to a vendor as well. However, I will ask here too. I'm trying to disable TLS1.0 globally on a firewall cluster. This is in an effort to completely eliminate all HTTPS weak ciphers. I've been scanning our environment with various tools and found that TLS 1.0 is still a valid cipher when I scan my cluster IP addresses.

So far, I haven't been able to find any documentation on how to do this with Checkpoint. On an ASA it's 2 or 3 commands to stop supporting the cipher. The only thing I've seen in forums is that on Checkpoint it's not possible. Is this true?

I'm running R80.30 so I would think you would be able to do this but maybe not.

Thanks,

Jon

HeikoAnkenbrand · ‎2019-12-12

For HTTPS Inspection:

First create a snapshot of your system!!!

Instructions for versions R80.10 and above

If 'HTTPS Inspection' blade is enabled on a Security Gateway, then configure it not to use TLS 1.0.

Important Note: Some servers on the Internet still use TLS 1.0. Once this step is performed, there will be no connectivity to these servers through the Security Gateway.

Connect with SmartDashboard to Security Management Server / Domain Management Server.
Go to 'File' menu - click on 'Database Revision Control...' - create a revision snapshot.
Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).
Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.
In the upper left pane, go to 'Table' - 'Other' - 'ssl_inspection'.
In the upper right pane, select the general_confs_obj.
Press CTRL+F (or go to 'Search' menu - 'Find') - paste ssl_min_ver - click on 'Find Next'.
In the lower pane, right-click on the 'ssl_min_ver' - 'Edit...' - choose "TLS1.1" - click on 'OK'.
Save the changes: go to 'File' menu - click on 'Save All'.
Close the GuiDBedit Tool.
Connect with SmartDashboard to Security Management Server / Domain Management Server.
Install the policy onto the relevant Security Gateways.

➜ CCSM Elite, CCME, CCTE

View solution in original post

HeikoAnkenbrand · ‎2019-12-12

For GAIA protal:

First create a snapshot of your system!!!

On each machine that runs Gaia OS, configure Gaia Portal not to use TLS 1.0.

Important Note: Before implementing the steps below, save the current Gaia database - log in to Clish and run save config command.

Connect to command line on Gaia OS machine.
Log in to Expert mode.
Backup the current configuration template:
[Expert@HostName:0]# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_BKP
Assign the "write" permission to the current configuration template:
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
[Expert@HostName:0]# chmod u+w /web/templates/httpd-ssl.conf.templ
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
Edit the current configuration template in Vi editor:
[Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ
Search for "SSLProtocol" line.
Change the line
from
SSLProtocol -ALL +SSLv3 +TLSv1
to
SSLProtocol -ALL +TLSv1.1
Save the changes and exit from Vi editor.
Remove the "write" permission from the current configuration template:
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
[Expert@HostName:0]# chmod u-w /web/templates/httpd-ssl.conf.templ
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
Update the current configuration of HTTPD daemon based on the modified configuration template:
[Expert@HostName:0]# /bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active
Restart the HTTPD daemon:
[Expert@HostName:0]# tellpm process:httpd2
[Expert@HostName:0]# tellpm process:httpd2 t
Restart the Gaia machine.

➜ CCSM Elite, CCME, CCTE

View solution in original post

_Val_ · ‎2019-12-13

@PhoneBoy or, mush better, use cipher_util

View solution in original post

Tobias_Moritz · ‎2021-02-18

Most communication between SmartConsole and Security Management is CPM today (and this was hardened), but some features are still relying on old CPMI and so you are right: We cannot disable TLS 1.0 completly on Security Management today.

However: SmartConsole (and SmartDashboard) is using TLS 1.2 these days for CMPI. It is just that the server side on Smart Management would also accept a TLS 1.0 connection and this is what is relevant when doing security assessments/audits.

The full answer I got from TAC last summer was (rephrased and not a direct quote, because I'm not sure if I'm allowed to post it here):

For CPMI (FWM) it is possible to change cipher/protocol settings by applying a command with a special flag.
This was provided over a RFE with Check Point local office and was made available having a specific customer environment been taking into consideration.

TAC declined to provide this command based on a normal TAC case (backed up by TAC management). If a customer really needs it, a RFE should been raised at local Check Point office.

They also said, that there was a very good reason this command was not documented anywhere even after the original RFE and it was not meant to be used as a solution for anything just yet.

For me this sounds like: untested, no general support and they do not believe this will work in normal environments. Thats why I have it with "not possible" in my table.

Maybe there will be a day, Check Point R&D finished the replacement of CPMI with CPM 🙂

View solution in original post

HeikoAnkenbrand · ‎2019-12-12

For HTTPS Inspection:

First create a snapshot of your system!!!

Instructions for versions R80.10 and above

If 'HTTPS Inspection' blade is enabled on a Security Gateway, then configure it not to use TLS 1.0.

Important Note: Some servers on the Internet still use TLS 1.0. Once this step is performed, there will be no connectivity to these servers through the Security Gateway.

Connect with SmartDashboard to Security Management Server / Domain Management Server.
Go to 'File' menu - click on 'Database Revision Control...' - create a revision snapshot.
Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).
Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.
In the upper left pane, go to 'Table' - 'Other' - 'ssl_inspection'.
In the upper right pane, select the general_confs_obj.
Press CTRL+F (or go to 'Search' menu - 'Find') - paste ssl_min_ver - click on 'Find Next'.
In the lower pane, right-click on the 'ssl_min_ver' - 'Edit...' - choose "TLS1.1" - click on 'OK'.
Save the changes: go to 'File' menu - click on 'Save All'.
Close the GuiDBedit Tool.
Connect with SmartDashboard to Security Management Server / Domain Management Server.
Install the policy onto the relevant Security Gateways.

➜ CCSM Elite, CCME, CCTE

HeikoAnkenbrand · ‎2019-12-12

For GAIA protal:

First create a snapshot of your system!!!

On each machine that runs Gaia OS, configure Gaia Portal not to use TLS 1.0.

Important Note: Before implementing the steps below, save the current Gaia database - log in to Clish and run save config command.

Connect to command line on Gaia OS machine.
Log in to Expert mode.
Backup the current configuration template:
[Expert@HostName:0]# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_BKP
Assign the "write" permission to the current configuration template:
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
[Expert@HostName:0]# chmod u+w /web/templates/httpd-ssl.conf.templ
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
Edit the current configuration template in Vi editor:
[Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ
Search for "SSLProtocol" line.
Change the line
from
SSLProtocol -ALL +SSLv3 +TLSv1
to
SSLProtocol -ALL +TLSv1.1
Save the changes and exit from Vi editor.
Remove the "write" permission from the current configuration template:
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
[Expert@HostName:0]# chmod u-w /web/templates/httpd-ssl.conf.templ
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
Update the current configuration of HTTPD daemon based on the modified configuration template:
[Expert@HostName:0]# /bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active
Restart the HTTPD daemon:
[Expert@HostName:0]# tellpm process:httpd2
[Expert@HostName:0]# tellpm process:httpd2 t
Restart the Gaia machine.

➜ CCSM Elite, CCME, CCTE

JG · ‎2019-12-12

I appreciate the quick response. It looks like this solution didn't work when done in a lab. Something I did overlook is that when I scan the firewalls my results are showing the certificates used for my VPN. In this case is there a solution to force the SSL VPN cipher to TLS1.1 or higher?

PhoneBoy · ‎2019-12-12

My understanding is the steps Heiko provided should work for that case.
If not, it's worth a TAC case.

_Val_ · ‎2019-12-13

@PhoneBoy or, mush better, use cipher_util

PhoneBoy · ‎2019-12-13

Forgot about that tool 😁

_Val_ · ‎2019-12-15

Dude! 🙂

jcorbett · ‎2020-03-15

Hi @JG, were you able to find a solution?

Nima_Chogyal · ‎2020-03-03

I tried your step and replaced the line in the /web/templates/httpd-ssl.conf.templ, But when we scanned on the interface again for PCI DSS compliance, the error us shown again. Is there any other step that i might have to do to disable tlsv1 on the gateways. The gateways are running R80.10.

Ancom · ‎2021-12-03

Good Morning,

how can I apply the same tls inspection to smtps traffic as well?

Thank you in advance.

PhoneBoy · ‎2021-12-03

Inline? No.
However, the gateway has an MTA that can be enabled with the Threat Prevention and/or DLP blades.
This can terminate SMTPS.

shiv_poch · ‎2023-07-12

hi!

how do we edit this sslprotocol line?

our firewall showing like this (from /web/templates/httpd-ssl.conf.templ):

SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1 +TLS

If we want to remove both TLS v1.0 and TLSv1.1?

Running on R81.

Thanks.

Tobias_Moritz · ‎2023-07-17

E.g. this way:

SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1.2

This is default Apache syntax for OpenSSL, nothing Check Point specific. If you want to tweak it further, just look up Apache documentation.

Please remember, that configuring /web/templates/httpd-ssl.conf.templ is only needed, when multi-portal deamon is not running. If it runs, use cipher_util for these configuration.

Amir_Arama · ‎2020-05-14

hi @HeikoAnkenbrand

about your procedure for ssl inspection.

i want to ask what will be the impact, actually i need to disable tls 1.0 and tls 1.1 only for specific incoming connection that i do ssl inspection for, so the pen tests will show only tls 1.2 is supported.

but i'm afraid that it will affect also outgoing internet surfing which also goes under ssl inspection, and i wonder, would it reject websites that using tls 1.1 and lower because of that? or it's only between the GW and the internal Pcs that will use only tls 1.2 ?

thanks

Nima_Chogyal · ‎2020-05-14

For me the configuration that we usually do on a linux server didnt work at all. My first attempt was that. During the vulnerability testing the customer kept on getting the same result where one of the report came out as failed due to tls1.0 and its vulnerability,im guessing it was called POODLE attack.

For the pen test the option of allowing only tls1.2 from the smartconsole works fine. For me though this helped me resolve the issue for the pen test. And installed a ssl certificate signed by a CA.like go daddy.

Gateway setup was Load sharing mode and version is R80.10.

_Val_ · ‎2019-12-13

Many internet sites are still using TLS 1.0. If the goal is to disable weak cyphers, you have a much better tool for the purpose than on Heiko mentioned.

There is something completely new available on R80.30 for cypher management, called cipher_util.

See sk126613 for details.

JG · ‎2019-12-13

I'll have to look into this because I did lab the solution Heiko provided. I will say that I do not want to stop HTTPS inspection from inspecting weak ciphers though. Just want to stop SSL VPNs and anything hitting the management plane of the firewall from using TLS 1.0.

_Val_ · ‎2019-12-13

@JG Especially then I suggest you look into the utility I have mentioned.

Thomas_Eichelbu · ‎2021-02-17

Hello,

does this tweaks also apply for the SmartCenter server???
Or does it only apply the the Security Gateway?
cipher_util doesnt run on a SmartCenter, in the Global Properties i have set MIN and MAX TLS version to 1.2 already ...
the SmartCenter still runs with TLS1.0 and so on ...
The Security Gateways are now on TLS1.2 after changing the Global Properties ...

iam a bit reluctant to tweak around on a live system ...

best regards
Thomas.

Tobias_Moritz · ‎2021-02-17

I had to dig through all the available options for hardening HTTPS settings on gateways and management server myself some time ago.

I wrote this table for myself after digging through various SKs, asking TAC and doing lab tests:

Product	TLS Endpoint Scenario	Hardening Ciphers using which sk
Security Gateway	Gaia Portal only (httpd2), normal operation	sk147272 – may need Redo after JHF needed
Security Gateway	Gaia Portal only (httpd2), cpstop	sk147272 – may need Redo after JHF needed
Security Gateway	Multiportal (httpd2), normal operation	sk126613 – No Redo after JHF needed
Security Gateway	Multiportal (httpd2), cpstop	sk147272 – may need Redo after JHF needed
Security Management	Gaia Portal (httpd2)	sk147272 – may need Redo after JHF needed
Security Management	CPM (Java) (:19009)	Supports only TLS 1.2 (hardcoded - sk122073) since • R80.10 Take 278 and on • R80.20 Take 149 and on • R80.30 Take 195 and on • R80.40 and above
Security Management	CPMI (FWM) (:18190)	Not possible

The difference between normal operation and cpstop on gateways is purely because of Multiportal. If you stopped Check Point services with cpstop, multiportal deamon is not in service anymore, but Gaia portal is still available. So HTTPS cipher config is falling back from multi portal config to plain httpd config. On gateways without Multiportal, there is no difference.

If anybody has additional infos or corrections for this table, I'm happy to hear from you 🙂

Thomas_Eichelbu · ‎2021-02-18

Hi,
Thank you Tobias, a good list ...

Question:
so since this process for the SmartConsole / SIC still remains on TLS1.0 its not possible to remove ALL old TLS versions from the Smartcenter?

Security Management

CPMI (FWM) (:18190)

Not possible

Tobias_Moritz · ‎2021-02-18