Solved: Disable TLS 1.0

JG · ‎2019-12-12

I'm asking this question to a vendor as well. However, I will ask here too. I'm trying to disable TLS1.0 globally on a firewall cluster. This is in an effort to completely eliminate all HTTPS weak ciphers. I've been scanning our environment with various tools and found that TLS 1.0 is still a valid cipher when I scan my cluster IP addresses.

So far, I haven't been able to find any documentation on how to do this with Checkpoint. On an ASA it's 2 or 3 commands to stop supporting the cipher. The only thing I've seen in forums is that on Checkpoint it's not possible. Is this true?

I'm running R80.30 so I would think you would be able to do this but maybe not.

Thanks,

Jon

_Val_ · ‎2019-12-13

@PhoneBoy or, mush better, use cypher_util

View solution in original post

HeikoAnkenbrand · ‎2019-12-12

For HTTPS Inspection:

First create a snapshot of your system!!!

Instructions for versions R80.10 and above

If 'HTTPS Inspection' blade is enabled on a Security Gateway, then configure it not to use TLS 1.0.

Important Note: Some servers on the Internet still use TLS 1.0. Once this step is performed, there will be no connectivity to these servers through the Security Gateway.

Connect with SmartDashboard to Security Management Server / Domain Management Server.
Go to 'File' menu - click on 'Database Revision Control...' - create a revision snapshot.
Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).
Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.
In the upper left pane, go to 'Table' - 'Other' - 'ssl_inspection'.
In the upper right pane, select the general_confs_obj.
Press CTRL+F (or go to 'Search' menu - 'Find') - paste ssl_min_ver - click on 'Find Next'.
In the lower pane, right-click on the 'ssl_min_ver' - 'Edit...' - choose "TLS1.1" - click on 'OK'.
Save the changes: go to 'File' menu - click on 'Save All'.
Close the GuiDBedit Tool.
Connect with SmartDashboard to Security Management Server / Domain Management Server.
Install the policy onto the relevant Security Gateways.

HeikoAnkenbrand · ‎2019-12-12

For GAIA protal:

First create a snapshot of your system!!!

On each machine that runs Gaia OS, configure Gaia Portal not to use TLS 1.0.

Important Note: Before implementing the steps below, save the current Gaia database - log in to Clish and run save config command.

Connect to command line on Gaia OS machine.
Log in to Expert mode.
Backup the current configuration template:
[Expert@HostName:0]# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_BKP
Assign the "write" permission to the current configuration template:
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
[Expert@HostName:0]# chmod u+w /web/templates/httpd-ssl.conf.templ
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
Edit the current configuration template in Vi editor:
[Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ
Search for "SSLProtocol" line.
Change the line
from
SSLProtocol -ALL +SSLv3 +TLSv1
to
SSLProtocol -ALL +TLSv1.1
Save the changes and exit from Vi editor.
Remove the "write" permission from the current configuration template:
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
[Expert@HostName:0]# chmod u-w /web/templates/httpd-ssl.conf.templ
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
Update the current configuration of HTTPD daemon based on the modified configuration template:
[Expert@HostName:0]# /bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active
Restart the HTTPD daemon:
[Expert@HostName:0]# tellpm process:httpd2
[Expert@HostName:0]# tellpm process:httpd2 t
Restart the Gaia machine.

JG · ‎2019-12-12

I appreciate the quick response. It looks like this solution didn't work when done in a lab. Something I did overlook is that when I scan the firewalls my results are showing the certificates used for my VPN. In this case is there a solution to force the SSL VPN cipher to TLS1.1 or higher?

PhoneBoy · ‎2019-12-12

My understanding is the steps Heiko provided should work for that case.
If not, it's worth a TAC case.

_Val_ · ‎2019-12-13

@PhoneBoy or, mush better, use cypher_util

View solution in original post

PhoneBoy · ‎2019-12-13

Forgot about that tool 😁

_Val_ · ‎2019-12-15

Dude! 🙂

jcorbett · ‎2020-03-15

Hi @JG, were you able to find a solution?

Nima_Chogyal · ‎2020-03-03

I tried your step and replaced the line in the /web/templates/httpd-ssl.conf.templ, But when we scanned on the interface again for PCI DSS compliance, the error us shown again. Is there any other step that i might have to do to disable tlsv1 on the gateways. The gateways are running R80.10.

Amir_Arama · ‎2020-05-14

hi @HeikoAnkenbrand

about your procedure for ssl inspection.

i want to ask what will be the impact, actually i need to disable tls 1.0 and tls 1.1 only for specific incoming connection that i do ssl inspection for, so the pen tests will show only tls 1.2 is supported.

but i'm afraid that it will affect also outgoing internet surfing which also goes under ssl inspection, and i wonder, would it reject websites that using tls 1.1 and lower because of that? or it's only between the GW and the internal Pcs that will use only tls 1.2 ?

thanks

Nima_Chogyal · ‎2020-05-14

For me the configuration that we usually do on a linux server didnt work at all. My first attempt was that. During the vulnerability testing the customer kept on getting the same result where one of the report came out as failed due to tls1.0 and its vulnerability,im guessing it was called POODLE attack.

For the pen test the option of allowing only tls1.2 from the smartconsole works fine. For me though this helped me resolve the issue for the pen test. And installed a ssl certificate signed by a CA.like go daddy.

Gateway setup was Load sharing mode and version is R80.10.

_Val_ · ‎2019-12-13

Many internet sites are still using TLS 1.0. If the goal is to disable weak cyphers, you have a much better tool for the purpose than on Heiko mentioned.

There is something completely new available on R80.30 for cypher management, called cipher_util.

See sk126613 for details.

JG · ‎2019-12-13

I'll have to look into this because I did lab the solution Heiko provided. I will say that I do not want to stop HTTPS inspection from inspecting weak ciphers though. Just want to stop SSL VPNs and anything hitting the management plane of the firewall from using TLS 1.0.

_Val_ · ‎2019-12-13

@JG Especially then I suggest you look into the utility I have mentioned.