cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Ryan_Ryan
Nickel

HTTPS inspection ECDHE

Hi guys,

Symptoms here are, with HTTPS inspection enabled on an R77.30 gateway, I have had quite a few sites not working, ("connection terminated") 

The workaround I have been using, was to put a bypass for the IP address of the site in position #1 in the policy (Putting a bypass by regex matching URl does not fix it). As the number of sites has growing, I need a proper fix. I have found all the offending sites seem to be offering TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as their first preference. 

I found sk110883 which seems to relate. As I am running take 317. I believe all I need to do is the registry change to support 384 and reboot. 

 

It looks like I have two options though:

  • To prefer / propose ECDHE cipher suites:

    1. [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_ACCEPT_ECDHE 1
    2. [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_PROPOSE_ECDHE 1
  • To prefer / propose ECDSA cipher suites:

    1. [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_ACCEPT_ECDSA 1
    2. [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_PROPOSE_ECDSA 1

I presume I would choose ECDHE and just run those two lines, is there any potential for breaking sites using ECDSA?

thanks

0 Kudos
2 Replies
Highlighted
Employee+
Employee+

Re: HTTPS inspection ECDHE

Ryan_Ryan
Nickel

Re: HTTPS inspection ECDHE

So after making the change I had some improvements, some websites that were previously broken started working without needing an https bypass.

However I found some sites still don't load unless specially bypassed by IP address.

When I look at the first cipher offered by the website, it reports:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

When I look at this page of supported ciphers:

Supported cipher suites for HTTPS Inspection 

we can see that its specifically not supported. So my question is, what exactly can we do about it? I'm going to end up with 100's of websites in my bypass rule, and as we have to do it via IP, anytime a site changes IP or one that uses CDN its going to break again.

It makes sense that the bypass doesn't work by url regex (it can't see the url yet because it doesn't understand how to negotiate a secure connection).

Are there plans to add support for these ciphers, or some way to configure the checkpoint to try and down negotiate to a supported cipher?