- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
sk147272 currently is the suggested procedure to remove vulnerable ssl ciphers and protocols. The sk120774 and sk111307 does a reboot instead of the final steps, sk163542 only shows the current status and sk126613 is using the cipher tool that only works with MultiPortal enabled. I have summed up information from several source to get it discussed here:
1. First, see the active ciphers:
more /web/templates/httpd-ssl.conf.templ | grep SSLCipherSuite
SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5
2. So we know how to ask for TLS versions:
cpopenssl ciphers -v 'HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5' | grep -i tls | awk '{print $2}' | sort --unique
TLSv1
TLSv1.2
TLSv1.3
After a backup of the original template file:
[Expert@HostName:0]# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_ORIGINAL
3. Assign the 'write' permission to the current /web/templates/httpd-ssl.conf.templ file:
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
[Expert@HostName:0]# chmod u+w /web/templates/httpd-ssl.conf.templ
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
4. Edit the current /web/templates/httpd-ssl.conf.templ file:
[Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ
5. In the section, change:
from:
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5
To:
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
(from sk147272 - used in the following parts): SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1
(from sk120774): SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1
Notes:
see the active ciphers:
more /web/templates/httpd-ssl.conf.templ | grep SSLCipherSuite
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1
[Expert@HostName:0]# cpopenssl ciphers -v 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1' | grep -i tls | awk '{print $2}' | sort --unique
TLSv1.2
TLSv1.3
Remove the 'write' permission from the /web/templates/httpd-ssl.conf.templ file:
[Expert@HostName:0]# chmod -v u-w /web/templates/httpd-ssl.conf.templ
9. Update the current configuration of the HTTPD daemon based on the modified configuration template:
[Expert@HostName:0]# /bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active
10. Restart the HTTPD daemon:
[Expert@HostName:0]# tellpm process:httpd2
[Expert@HostName:0]# tellpm process:httpd2 t
@G_W_Albrecht , I suppose it'll work on SMS as well.
Did you try running cipher_util afterwards to see if its output matching your modifications?
Cheers,
Vladimir
Yes, this is for GW or SMS. On GW, cipher_util works and shows:
Enabled:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Disabled:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
Thank you!
What puzzles me is the difference here:
(from sk147272): SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1
(from sk120774): SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1
What about no Medium:
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:!MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1
Anyone found a link to mod_ssl syntax not from 2001 ?
I was not looking at it specifically, but let's loop in @PhoneBoy to see if he knows...
I found it here: https://httpd.apache.org/docs/current/mod/mod_ssl.html
The interesting part:
Aliases: | |
SSLv3 |
all SSL version 3.0 ciphers |
TLSv1 |
all TLS version 1.0 ciphers |
EXP |
all export ciphers |
EXPORT40 |
all 40-bit export ciphers only |
EXPORT56 |
all 56-bit export ciphers only |
LOW |
all low strength ciphers (no export, single DES) |
MEDIUM |
all ciphers with 128 bit encryption |
HIGH |
all ciphers using Triple-DES |
RSA |
all ciphers using RSA key exchange |
DH |
all ciphers using Diffie-Hellman key exchange |
EDH |
all ciphers using Ephemeral Diffie-Hellman key exchange |
ECDH |
Elliptic Curve Diffie-Hellman key exchange |
ADH |
all ciphers using Anonymous Diffie-Hellman key exchange |
AECDH |
all ciphers using Anonymous Elliptic Curve Diffie-Hellman key exchange |
SRP |
all ciphers using Secure Remote Password (SRP) key exchange |
DSS |
all ciphers using DSS authentication |
ECDSA |
all ciphers using ECDSA authentication |
So combining both from above excluding 128 bit encryption would read:
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RSA:+HIGH:!ADH:!EXP:!ECDSA:!aECDH:!MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY