This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LostBoY
Advisor
‎2021-07-28 08:33 AM

TLS 1.1 Protocol Detection

I have an R80.40 VSX Cluster where Vulnerability TLS 1.1 Protocol Detection has been reported on port 443. I went through a community post on how to disable 1.1 by editing the "vi /web/templates/httpd-ssl.conf.templ" .

 

My query is that does disabling TLS 1.1 in anyway affect the traffic passing through the gateways ? if i understand this  correctly this is only related to GAIA Portal access ? and disabling TLS will not cause any kind of traffic interruption.

These GWs have antibot, antivi , URL Filtering blades enabled.

0 Kudos
9 Replies
_Val_
Admin
Admin
‎2021-07-29 01:18 AM

Do not do any manual change. Follow sk126613 and use cipher_util.

LostBoY
Advisor
‎2021-07-29 11:57 AM
In response to _Val_

I went through this sk but i dont get how TLS is being disabled there.

Moreover..i tried running cipher_util but i get the following  : 

Make sure the selected blade is active.
'/opt/CPshrd-R80.40/conf/ssl_inspection.cipher' file is corrupted or doesn't exist.
Aborting...

 

also..these TLS settings are only limited to GAIA portal access and not the passing traffic ? 

0 Kudos
masher
Employee
Employee
‎2021-07-29 05:50 AM

Editing the httpd-ssl.conf.templ file doesn't impact the web portal when multi-portal functions are used. If you know which specific ciphers you plan to use, then cipher_util is an option.

Another option would be to use Global Properties in SmartConsole. There is an advanced setting that allows you to configure the minimum TLS setting. This is simply applied when policy is pushed to the gateway.

image.png

 

 
 

 

LostBoY
Advisor
‎2021-07-29 11:54 AM
In response to masher

For Gateways this approach is alright..but i am looking to disable TLS1.0 & TLS 1.1 in Management Server as well

0 Kudos
genisis__
Advisor
‎2021-07-30 02:52 AM
In response to LostBoY

Don't disabled TLSv1.1 on the Manager, I believe this is needed.  I may have put in the SK related to this in a previous post related to lockdown.

0 Kudos
LostBoY
Advisor
‎2021-07-30 04:50 AM
In response to genisis__

Can you share the sk please

0 Kudos
genisis__
Advisor
‎2021-07-30 05:03 AM
In response to LostBoY

Did try to find it, I seem to remember typing in the error I got and then finding an SK which hinted at the requirement for TLSv1.1 so I ensured this was added.  Here are my entries on a R81 SMS.

#cat /web/templates/httpd-ssl.conf.templ | grep SSLCipher
SSLCipherSuite HIGH:!ADH:!RC4:!DHE:!LOW:!EXP:!RSA:!eNULL:!aNULL:!SSLv2:!MD5

#cat /web/templates/httpd-ssl.conf.templ | grep SSLProtocol
SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}TLSv1.1 +TLSv1.2 +TLSv1.3

If can, try to exclude TLSv1.1 as well and see if you get a problem.  If I find the SK will update this thread.

Only odd thing I noted when attempting to scan via each TLS version TLSv1.1 came back with nothing:

Here are the results of the scan:

* TLS 1.1 Cipher Suites:
Attempted to connect using 80 cipher suites; the server rejected all cipher suites.
------------------------
* TLS 1.2 Cipher Suites:
Attempted to connect using 156 cipher suites.

The server accepted the following 11 cipher suites:
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 ECDH: X25519 (253 bits)
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 256 ECDH: X25519 (253 bits)
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 128 ECDH: X25519 (253 bits)
TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 256 ECDH: X25519 (253 bits)
TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 128 ECDH: X25519 (253 bits)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 ECDH: prime256v1 (256 bits)

The group of cipher suites supported by the server has the following properties:
Forward Secrecy OK - Supported
Legacy RC4 Algorithm OK - Not Supported
------------------------
* TLS 1.3 Cipher Suites:
Attempted to connect using 5 cipher suites.

The server accepted the following 3 cipher suites:
TLS_CHACHA20_POLY1305_SHA256 256 ECDH: X25519 (253 bits)
TLS_AES_256_GCM_SHA384 256 ECDH: X25519 (253 bits)
TLS_AES_128_GCM_SHA256 128 ECDH: X25519 (253 bits)

LostBoY
Advisor
‎2021-07-30 05:20 AM
In response to genisis__

I mite do that..disable TLS1.1 and then observe.

 

one thing i noticed in your output for SSL CIPHERS

SSLCipherSuite HIGH:!ADH:!RC4:!DHE:!LOW:!EXP:!RSA:!eNULL:!aNULL:!SSLv2:!MD5

there is no 3DES at the end ..have you disabled medium ciphers using cipher_util ? how do you determine which are the medium strength SSL Ciphers and should be disabled ?

0 Kudos
genisis__
Advisor
‎2021-07-30 10:29 AM
In response to LostBoY

I could not get the cipher_util command to work.  In my case I'm only interested in HIGH strength ciphers.  

Found the SK I looked at!

sk171707

Symptom:
"SslVersionOrCipherMismatch" error when disabling AES128 and opening a new Logging & Monitor tab in SmartConsole

When we disable TLS1.0, TLS 1.1 and SHA1, the option of disabling AES128 is not supported because this creates a situation where the connection is no longer considered secure.

Labels