Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
G_W_Albrecht
Legend Legend
Legend

Gaia Portal SSL cipher suites

sk147272 currently is the suggested procedure to remove vulnerable ssl ciphers and protocols. The sk120774 and sk111307 does a reboot instead of the final steps, sk163542 only shows the current status and sk126613 is using the cipher tool that only works with MultiPortal enabled. I have summed up information from several source to get it discussed here:

1. First, see the active ciphers:

more /web/templates/httpd-ssl.conf.templ | grep SSLCipherSuite
SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5

2. So we know how to ask for TLS versions:

cpopenssl ciphers -v 'HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5' | grep -i tls | awk '{print $2}' | sort --unique
TLSv1
TLSv1.2
TLSv1.3

After a backup of the original template file:

[Expert@HostName:0]# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_ORIGINAL

3. Assign the 'write' permission to the current /web/templates/httpd-ssl.conf.templ file:

[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ

[Expert@HostName:0]# chmod u+w /web/templates/httpd-ssl.conf.templ

[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ

4. Edit the current /web/templates/httpd-ssl.conf.templ file:

[Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ

5. In the section, change:

from:

# SSL Cipher Suite:

# List the ciphers that the client is permitted to negotiate.

# See the mod_ssl documentation for a complete list.

SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5

To:

# SSL Cipher Suite:

# List the ciphers that the client is permitted to negotiate.

# See the mod_ssl documentation for a complete list.

(from sk147272 - used in the following parts): SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

(from sk120774): SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1

Notes:

see the active ciphers:

more /web/templates/httpd-ssl.conf.templ | grep SSLCipherSuite
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

[Expert@HostName:0]# cpopenssl ciphers -v 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1' | grep -i tls | awk '{print $2}' | sort --unique
TLSv1.2
TLSv1.3

Remove the 'write' permission from the /web/templates/httpd-ssl.conf.templ file:

[Expert@HostName:0]# chmod -v u-w /web/templates/httpd-ssl.conf.templ

9. Update the current configuration of the HTTPD daemon based on the modified configuration template:

[Expert@HostName:0]# /bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active

10. Restart the HTTPD daemon:

[Expert@HostName:0]# tellpm process:httpd2

[Expert@HostName:0]# tellpm process:httpd2 t

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
16 Replies
Vladimir
Champion
Champion

@G_W_Albrecht , I suppose it'll work on SMS as well.

Did you try running cipher_util afterwards to see if its output matching your modifications?

Cheers,

Vladimir

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Yes, this is for GW or SMS. On GW, cipher_util works and shows:

Enabled:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Disabled:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Vladimir
Champion
Champion

Thank you!

0 Kudos
G_W_Albrecht
Legend Legend
Legend

What puzzles me is the difference here:

(from sk147272): SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

(from sk120774): SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1

What about no Medium:

SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:!MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

Anyone found a link to mod_ssl syntax not from 2001 ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Vladimir
Champion
Champion

I was not looking at it specifically, but let's loop in @PhoneBoy to see if he knows...

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I found it here: https://httpd.apache.org/docs/current/mod/mod_ssl.html

The interesting part:

Aliases:
SSLv3 all SSL version 3.0 ciphers
TLSv1 all TLS version 1.0 ciphers
EXP all export ciphers
EXPORT40 all 40-bit export ciphers only
EXPORT56 all 56-bit export ciphers only
LOW all low strength ciphers (no export, single DES)
MEDIUM all ciphers with 128 bit encryption
HIGH all ciphers using Triple-DES
RSA all ciphers using RSA key exchange
DH all ciphers using Diffie-Hellman key exchange
EDH all ciphers using Ephemeral Diffie-Hellman key exchange
ECDH Elliptic Curve Diffie-Hellman key exchange
ADH all ciphers using Anonymous Diffie-Hellman key exchange
AECDH all ciphers using Anonymous Elliptic Curve Diffie-Hellman key exchange
SRP all ciphers using Secure Remote Password (SRP) key exchange
DSS all ciphers using DSS authentication
ECDSA all ciphers using ECDSA authentication

 

So combining both from above excluding 128 bit encryption would read:

SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RSA:+HIGH:!ADH:!EXP:!ECDSA:!aECDH:!MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
just13pro
Collaborator

If I only enabled these 2 ciphers, I am not able to open the Gaia portal.

- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256

Is there anything that I missed?

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Maybe you GAiA Portal Cert is SHA-1 from an old installation, see sk108252 ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

R81.10 has changed the TLS switch and sk147272 now has:

WARNING: This configuration change is NOT COMPATIBLE with R81.10 and newer releases.   Performing step 6 above on an R81.10 system will result in management API failure to start.  

R81.10 comes out of the box with TLS 1.2 as the lowest enabled TLS version.  On R81.10 and newer, please use the clish command to change the supported TLS version:

HOST> set ssl tls TLSv1.3 on
HOST> set ssl tls TLSv1.2 off
HOST> save config
HOST>

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Robin_H
Contributor

Are there scenarios where this "manual disabling of TLSv1.x" is needed even after sk154532 is applied where snx_ssl_min_ver has already been set to TLS1.2?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I do not know of such scenarios nor why they should exist, so you would have to look for yourself...

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Maher
Explorer

Hi,

I have a Cloudguard VMSS in Azure, I would like to remove vulnerable cipher suites (as shown in sk147272) for new provisioned GWs in case of Scale Out via CME. Do you have any idea how to do it please?

my cloudguards VMSS are in R81.10

 

Thanks!

0 Kudos
G_W_Albrecht
Legend Legend
Legend

No.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Dmitry_Gorn
Employee
Employee

It is possible to create a bash script that implements the configurations from the SK and configure it to run on every scaled-out instance.

Please refer to the CME Admin Guide here:

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CME/Content/Topics-CME/CME_Structure_...

 

Under "Supported Configuration Template parameters", argument "CUSTOM_GATEWAY_SCRIPT".

 

Regards,

Dmitry

CPnoob
Contributor

Does this fix of the cypher suites apply to a R77.30?
I know it is old and I an trying to push a new box in, but untill then.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

R77.30 is out of support since September 2019, so Gaia SSL Cipher suites are the least important issue - as IPS, AV, URLF and all other TP will not work, this can not be called a security solution! See https://support.checkpoint.com/results/sk/sk111307 about how to do this.

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events