This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ruan_Kotze
MVP Gold
MVP Gold
17 hours ago

Enforcing TLS level with Inbound HTTPS Inspection

Good Day,

I have an interesting scenario and my research is giving me conflicting answers.

I am publishing a webserver through an R81.10 T190 gateway (Managed by an R82 SMS).  Inbound HTTPS inspection has been configured and is working well.  There is one interesting aspect to my the https inspection rulebase.  The webserver has a single IP but hosts multiple websites sitting on different domains (thus I cannot make use of wildcard certificates).  In order to get inspection working I've had to add a custom application definition to the the inspection policy, like so:

 
 
 

Screenshot 2026-05-19 142557.png

This works well and allows me to inspect all sites.The backend webserver is hardened and configured to reject all TLS versions below 1.2.

My challenge is as soon as I enable inspection security scanners flag the sites as accepting connections TLS 1.0 and higher.

Here is where things get curious - running cipher_util and selecting SSL Inspection is only showing me TLS 1.2 and TLS 1.3 ciphers.  In the old days we could set the ssl_min_ver  using GuiDBedit, but I believe that has been deprecated. For what it's worth the setting there is TLS1.0 and TLS1.2 for ssl_min_ver and ssl_max_ver respectively.

Why would my gateway be offering these deprecated ciphers (considering it's disabled on the back-end site), and how to correct it?

Thanks,
Ruan

0 Kudos
4 Replies
Ruan_Kotze
MVP Gold
MVP Gold
17 hours ago

Quick Update,

3 new datapoints:
The gateways still obeys the ssl_min_ver parameter. I raised the min_ver to 1.1 and this reflected in my scan result.
Conversely, ssl_max_ver is not obeyed. Despite it set to 1.2 (no option exists for 1.3) scans correctly show the website as offering 1.3
Setting the access policy Service to TLS1.2 (as opposed to HTTPS) surprisingly has no impact on scan result.

Thanks,
Ruan

0 Kudos
Lesley
MVP Gold
MVP Gold
16 hours ago

please share correct version number and take number T183 is latest version for R81.10 that is now EOL

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Ruan_Kotze
MVP Gold
MVP Gold
16 hours ago
In response to Lesley

Good Catch, indeed it is T183.

Gateways are slated for upgrade to R82 in the next month - I will definitely make a note to see if the findings are still valid.

0 Kudos
Lesley
MVP Gold
MVP Gold
15 hours ago
In response to Ruan_Kotze

I would upgrade first and then see what ssllabs will report regarding ssl ciphers after that follow indeed the cipher tool. Note there are many changes done in R82 for https inspection: 

image.png

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events