Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JG
Participant
Jump to solution

Disable TLS 1.0

I'm asking this question to a vendor as well. However, I will ask here too. I'm trying to disable TLS1.0 globally on a firewall cluster. This is in an effort to completely eliminate all HTTPS weak ciphers. I've been scanning our environment with various tools and found that TLS 1.0 is still a valid cipher when I scan my cluster IP addresses.

So far, I haven't been able to find any documentation on how to do this with Checkpoint. On an ASA it's 2 or 3 commands to stop supporting the cipher. The only thing I've seen in forums is that on Checkpoint it's not possible. Is this true?

I'm running R80.30 so I would think you would be able to do this but maybe not. 

Thanks,

Jon

4 Solutions

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

For HTTPS Inspection:

First create a snapshot of your system!!!

Instructions for versions R80.10 and above

If 'HTTPS Inspection' blade is enabled on a Security Gateway, then configure it not to use TLS 1.0.

Important Note: Some servers on the Internet still use TLS 1.0. Once this step is performed, there will be no connectivity to these servers through the Security Gateway.

  1. Connect with SmartDashboard to Security Management Server / Domain Management Server.

  2. Go to 'File' menu - click on 'Database Revision Control...' - create a revision snapshot.

  3. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

  4. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.

  5. In the upper left pane, go to 'Table' - 'Other' - 'ssl_inspection'.

  6. In the upper right pane, select the general_confs_obj.

  7. Press CTRL+F (or go to 'Search' menu - 'Find') - paste ssl_min_ver - click on 'Find Next'.

  8. In the lower pane, right-click on the 'ssl_min_ver' - 'Edit...' - choose "TLS1.1" - click on 'OK'.

  9. Save the changes: go to 'File' menu - click on 'Save All'.

  10. Close the GuiDBedit Tool.

  11. Connect with SmartDashboard to Security Management Server / Domain Management Server.

  12. Install the policy onto the relevant Security Gateways.

➜ CCSM Elite, CCME, CCTE

View solution in original post

HeikoAnkenbrand
Champion Champion
Champion

 

For GAIA protal:

First create a snapshot of your system!!!

On each machine that runs Gaia OS, configure Gaia Portal not to use TLS 1.0.

Important Note: Before implementing the steps below, save the current Gaia database - log in to Clish and run save config command.

  1. Connect to command line on Gaia OS machine.

  2. Log in to Expert mode.

  3. Backup the current configuration template:

    [Expert@HostName:0]# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_BKP

  4. Assign the "write" permission to the current configuration template:

    [Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
    [Expert@HostName:0]# chmod u+w /web/templates/httpd-ssl.conf.templ
    [Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ

  5. Edit the current configuration template in Vi editor:

    [Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ

  6. Search for "SSLProtocol" line.

  7. Change the line

    from
    SSLProtocol -ALL +SSLv3 +TLSv1
    to
    SSLProtocol -ALL +TLSv1.1
  8. Save the changes and exit from Vi editor.

  9. Remove the "write" permission from the current configuration template:

    [Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
    [Expert@HostName:0]# chmod u-w /web/templates/httpd-ssl.conf.templ
    [Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ

  10. Update the current configuration of HTTPD daemon based on the modified configuration template:

    [Expert@HostName:0]# /bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active

  11. Restart the HTTPD daemon:

    [Expert@HostName:0]# tellpm process:httpd2
    [Expert@HostName:0]# tellpm process:httpd2 t


  12. Restart the Gaia machine.
➜ CCSM Elite, CCME, CCTE

View solution in original post

_Val_
Admin
Admin

@PhoneBoy or, mush better, use cipher_util

View solution in original post

Tobias_Moritz
Advisor

Most communication between SmartConsole and Security Management is CPM today (and this was hardened), but some features are still relying on old CPMI and so you are right: We cannot disable TLS 1.0 completly on Security Management today.

However: SmartConsole (and SmartDashboard) is using TLS 1.2 these days for CMPI. It is just that the server side on Smart Management would also accept a TLS 1.0 connection and this is what is relevant when doing security assessments/audits.

The full answer I got from TAC last summer was (rephrased and not a direct quote, because I'm not sure if I'm allowed to post it here):

For CPMI (FWM) it is possible to change cipher/protocol settings by applying a command with a special flag.
This was provided over a RFE with Check Point local office and was made available having a specific customer environment been taking into consideration.

TAC declined to provide this command based on a normal TAC case (backed up by TAC management). If a customer really needs it, a RFE should been raised at local Check Point office.

They also said, that there was a very good reason this command was not documented anywhere even after the original RFE and it was not meant to be used as a solution for anything just yet.

For me this sounds like: untested, no general support and they do not believe this will work in normal environments. Thats why I have it with "not possible" in my table.

Maybe there will be a day, Check Point R&D finished the replacement of CPMI with CPM 🙂

 

View solution in original post

0 Kudos
27 Replies
HeikoAnkenbrand
Champion Champion
Champion

For HTTPS Inspection:

First create a snapshot of your system!!!

Instructions for versions R80.10 and above

If 'HTTPS Inspection' blade is enabled on a Security Gateway, then configure it not to use TLS 1.0.

Important Note: Some servers on the Internet still use TLS 1.0. Once this step is performed, there will be no connectivity to these servers through the Security Gateway.

  1. Connect with SmartDashboard to Security Management Server / Domain Management Server.

  2. Go to 'File' menu - click on 'Database Revision Control...' - create a revision snapshot.

  3. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

  4. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.

  5. In the upper left pane, go to 'Table' - 'Other' - 'ssl_inspection'.

  6. In the upper right pane, select the general_confs_obj.

  7. Press CTRL+F (or go to 'Search' menu - 'Find') - paste ssl_min_ver - click on 'Find Next'.

  8. In the lower pane, right-click on the 'ssl_min_ver' - 'Edit...' - choose "TLS1.1" - click on 'OK'.

  9. Save the changes: go to 'File' menu - click on 'Save All'.

  10. Close the GuiDBedit Tool.

  11. Connect with SmartDashboard to Security Management Server / Domain Management Server.

  12. Install the policy onto the relevant Security Gateways.

➜ CCSM Elite, CCME, CCTE
HeikoAnkenbrand
Champion Champion
Champion

 

For GAIA protal:

First create a snapshot of your system!!!

On each machine that runs Gaia OS, configure Gaia Portal not to use TLS 1.0.

Important Note: Before implementing the steps below, save the current Gaia database - log in to Clish and run save config command.

  1. Connect to command line on Gaia OS machine.

  2. Log in to Expert mode.

  3. Backup the current configuration template:

    [Expert@HostName:0]# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_BKP

  4. Assign the "write" permission to the current configuration template:

    [Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
    [Expert@HostName:0]# chmod u+w /web/templates/httpd-ssl.conf.templ
    [Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ

  5. Edit the current configuration template in Vi editor:

    [Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ

  6. Search for "SSLProtocol" line.

  7. Change the line

    from
    SSLProtocol -ALL +SSLv3 +TLSv1
    to
    SSLProtocol -ALL +TLSv1.1
  8. Save the changes and exit from Vi editor.

  9. Remove the "write" permission from the current configuration template:

    [Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
    [Expert@HostName:0]# chmod u-w /web/templates/httpd-ssl.conf.templ
    [Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ

  10. Update the current configuration of HTTPD daemon based on the modified configuration template:

    [Expert@HostName:0]# /bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active

  11. Restart the HTTPD daemon:

    [Expert@HostName:0]# tellpm process:httpd2
    [Expert@HostName:0]# tellpm process:httpd2 t


  12. Restart the Gaia machine.
➜ CCSM Elite, CCME, CCTE
JG
Participant

I appreciate the quick response. It looks like this solution didn't work when done in a lab. Something I did overlook is that when I scan the firewalls my results are showing the certificates used for my VPN. In this case is there a solution to force the SSL VPN cipher to TLS1.1 or higher?

0 Kudos
PhoneBoy
Admin
Admin
My understanding is the steps Heiko provided should work for that case.
If not, it's worth a TAC case.
0 Kudos
_Val_
Admin
Admin

@PhoneBoy or, mush better, use cipher_util

PhoneBoy
Admin
Admin
Forgot about that tool 😁
0 Kudos
_Val_
Admin
Admin

Dude! 🙂

0 Kudos
jcorbett
Explorer

Hi @JG, were you able to find a solution?

0 Kudos
Nima_Chogyal
Contributor

I tried your step and replaced the line in the /web/templates/httpd-ssl.conf.templ, But when we scanned on the interface again for PCI DSS compliance, the error us shown again. Is there any other step that i might have to do to disable tlsv1 on the gateways. The gateways are running R80.10.

0 Kudos
Ancom
Explorer

Good Morning,

how can I apply the same tls inspection to smtps traffic as well?

Thank you in advance.

 

0 Kudos
PhoneBoy
Admin
Admin

Inline? No.
However, the gateway has an MTA that can be enabled with the Threat Prevention and/or DLP blades.
This can terminate SMTPS.

0 Kudos
shiv_poch
Explorer

hi!

how do we edit this sslprotocol line?

our firewall showing like this (from /web/templates/httpd-ssl.conf.templ):

SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1 +TLS

If we want to remove both TLS v1.0 and TLSv1.1?

Running on R81.

Thanks.

0 Kudos
Tobias_Moritz
Advisor

E.g. this way:

SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1.2

This is default Apache syntax for OpenSSL, nothing Check Point specific. If you want to tweak it further, just look up Apache documentation.

Please remember, that configuring /web/templates/httpd-ssl.conf.templ is only needed, when multi-portal deamon is not running. If it runs, use cipher_util for these configuration.

0 Kudos
Amir_Arama
Advisor

hi @HeikoAnkenbrand 

about your procedure for ssl inspection.

i want to ask what will be the impact, actually i need to disable tls 1.0 and tls 1.1 only for specific incoming connection that i do ssl inspection for, so the pen tests will show only tls 1.2 is supported.

but i'm afraid that it will affect also outgoing internet surfing which also goes under ssl inspection, and i wonder, would it reject websites that using tls 1.1 and lower because of that? or it's only between the GW and the internal Pcs that will use only tls 1.2 ?

thanks

0 Kudos
Nima_Chogyal
Contributor

For me the configuration that we usually do on a linux server didnt work at all. My first attempt was that. During the vulnerability testing the customer kept on getting the same result where one of the report came out as failed due to tls1.0 and its vulnerability,im guessing it was called POODLE attack.

For the pen test the option of allowing only tls1.2 from the smartconsole works fine. For me though this helped me resolve the issue for the pen test. And installed a ssl certificate signed by a CA.like go daddy.

Gateway setup was Load sharing mode and version is R80.10.

 

0 Kudos
Fiqri_kurniawan
Participant

Hello Sir, 

Thanks for your solution. 

I have some question about this.

If I look at your step by step, it seems to apply globally to all https inspection rules that are "inspected". Can we make it specifics, for example in rule 1 to Server A the inspection still uses tls1.0. But for rule 2 to inspect server B, only use a minimum of tls1.2. Is that possible?

Thank You. 😊

0 Kudos
PhoneBoy
Admin
Admin

Not in the HTTPS Inspection policy.
Because you need to connect with TLS 1.0 to some site, this needs to be enabled globally.
You could, in the Threat Prevention and/or Access Control policy, block TLS 1.0 and 1.1 for all but specific sites (possibly using inline rules).

0 Kudos
Fiqri_kurniawan
Participant

Thank you for your answer, Mister PhoneBoy.

I have tried this suggestion. For example, I creating an access control policy rule number 10 which contains the destination to the server with the action drop tls 1.0 and tls 1.0. Below that there is an existing accept rule with the same destination, but there is an https service in the accept action.

What happens is that the website won't open. Please provide input.

Thank you.

0 Kudos
_Val_
Admin
Admin

Many internet sites are still using TLS 1.0. If the goal is to disable weak cyphers, you have a much better tool for the purpose than on Heiko mentioned.

 

There is something completely new available on R80.30 for cypher management, called cipher_util.

See sk126613 for details.

0 Kudos
JG
Participant
I'll have to look into this because I did lab the solution Heiko provided. I will say that I do not want to stop HTTPS inspection from inspecting weak ciphers though. Just want to stop SSL VPNs and anything hitting the management plane of the firewall from using TLS 1.0.
0 Kudos
_Val_
Admin
Admin

@JG Especially then I suggest you look into the utility I have mentioned. 

0 Kudos
Thomas_Eichelbu
Advisor

Hello, 

does this tweaks also apply for the SmartCenter server???
Or does it only apply the the Security Gateway?
cipher_util doesnt run on a SmartCenter, in the Global Properties i have set MIN and MAX TLS version to 1.2 already ...
the SmartCenter still runs with TLS1.0 and so on ... 
The Security Gateways are now on TLS1.2 after changing the Global Properties ... 

iam a bit reluctant to tweak around on a live system ... 

best regards
Thomas.

0 Kudos
Tobias_Moritz
Advisor

I had to dig through all the available options for hardening HTTPS settings on gateways and management server myself some time ago.

I wrote this table for myself after digging through various SKs, asking TAC and doing lab tests:

Product

TLS Endpoint Scenario

Hardening Ciphers using which sk

Security Gateway

Gaia Portal only (httpd2), normal operation

sk147272 – may need Redo after JHF needed

Security Gateway

Gaia Portal only (httpd2), cpstop

sk147272 – may need Redo after JHF needed

Security Gateway

Multiportal (httpd2), normal operation

sk126613 – No Redo after JHF needed

Security Gateway

Multiportal (httpd2), cpstop

sk147272 – may need Redo after JHF needed

Security Management

Gaia Portal (httpd2)

sk147272 – may need Redo after JHF needed

Security Management

CPM (Java) (:19009)

Supports only TLS 1.2 (hardcoded - sk122073) since

•    R80.10 Take 278 and on
•    R80.20 Take 149 and on
•    R80.30 Take 195 and on
•    R80.40 and above

Security Management

CPMI (FWM) (:18190)

Not possible

 

The difference between normal operation and cpstop on gateways is purely because of Multiportal. If you stopped Check Point services with cpstop, multiportal deamon is not in service anymore, but Gaia portal is still available. So HTTPS cipher config is falling back from multi portal config to plain httpd config. On gateways without Multiportal, there is no difference.

If anybody has additional infos or corrections for this table, I'm happy to hear from you 🙂

Thomas_Eichelbu
Advisor

Hi,
Thank you Tobias, a good list ...

Question:
so since this process for the SmartConsole / SIC still remains on TLS1.0 its not possible to remove ALL old TLS versions from the Smartcenter?

Security Management

CPMI (FWM) (:18190)

Not possible

0 Kudos
Tobias_Moritz
Advisor

Most communication between SmartConsole and Security Management is CPM today (and this was hardened), but some features are still relying on old CPMI and so you are right: We cannot disable TLS 1.0 completly on Security Management today.

However: SmartConsole (and SmartDashboard) is using TLS 1.2 these days for CMPI. It is just that the server side on Smart Management would also accept a TLS 1.0 connection and this is what is relevant when doing security assessments/audits.

The full answer I got from TAC last summer was (rephrased and not a direct quote, because I'm not sure if I'm allowed to post it here):

For CPMI (FWM) it is possible to change cipher/protocol settings by applying a command with a special flag.
This was provided over a RFE with Check Point local office and was made available having a specific customer environment been taking into consideration.

TAC declined to provide this command based on a normal TAC case (backed up by TAC management). If a customer really needs it, a RFE should been raised at local Check Point office.

They also said, that there was a very good reason this command was not documented anywhere even after the original RFE and it was not meant to be used as a solution for anything just yet.

For me this sounds like: untested, no general support and they do not believe this will work in normal environments. Thats why I have it with "not possible" in my table.

Maybe there will be a day, Check Point R&D finished the replacement of CPMI with CPM 🙂

 

0 Kudos
PhoneBoy
Admin
Admin

Keep in mind most of the security issues with TLS 1.0 don't apply when certificates are used.
After the initial one-time password initialization, SIC uses certificates for everything.

0 Kudos
Juan_
Collaborator

Hi,

When doing HTTPS inspection inbound, do you think setting the service as "TLSv1.2" in the access policy (or the https inspection policy?) would do?

Many thanks! 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events