This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CyberBreaker
Contributor
‎2020-02-26 06:03 AM
Jump to solution

Disable Weak Ciphers for Smart-1

Hello Guys,

I believed it is possible to disable weak ciphers for the security gateway but how about for the security management (smart-1)? I searched over the some data but I always saw the procedure for the security gateways.

Anyone here knows how to disable weak ciphers for smart-1?

Thank you very much for the great help.

 

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2020-02-26 07:10 AM
Jump to solution

Hi @CyberBreaker,

Use the following comand to see all posible ciphers:

# cpopenssl ciphers -v 'HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5'

1) Back up the current /web/templates/httpd-ssl.conf.templ file:

# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_backup

2) Assign the 'write' permission to the file:

# ls -l /web/templates/httpd-ssl.conf.templ

# chmod u+w /web/templates/httpd-ssl.conf.templ

# ls -l /web/templates/httpd-ssl.conf.templ

3) Edit the current /web/templates/httpd-ssl.conf.templ file:

[Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ

       >>>  In the section "SSL Cipher Suite" change the chihper:

       # SSL Cipher Suite:
       # Add your chiper:

       SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-  SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

        4) Restart the httpd
               # tellpm process:httpd2

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

6 Replies
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2020-02-26 07:10 AM
Jump to solution

Hi @CyberBreaker,

Use the following comand to see all posible ciphers:

# cpopenssl ciphers -v 'HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5'

1) Back up the current /web/templates/httpd-ssl.conf.templ file:

# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_backup

2) Assign the 'write' permission to the file:

# ls -l /web/templates/httpd-ssl.conf.templ

# chmod u+w /web/templates/httpd-ssl.conf.templ

# ls -l /web/templates/httpd-ssl.conf.templ

3) Edit the current /web/templates/httpd-ssl.conf.templ file:

[Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ

       >>>  In the section "SSL Cipher Suite" change the chihper:

       # SSL Cipher Suite:
       # Add your chiper:

       SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-  SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

        4) Restart the httpd
               # tellpm process:httpd2

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
CyberBreaker
Contributor
‎2020-02-26 07:16 AM
In response to HeikoAnkenbrand
Jump to solution

Hi @HeikoAnkenbrand ,

Thanks for the help, I will try this.

Is this for HTTPS and SSH as well? Is there's SK document for this one?

Thanks

0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2020-02-26 11:50 AM
In response to G_W_Albrecht
Jump to solution

Hi @G_W_Albrecht ,

this sk is only for gatways not for SMS.

sk126613: Cipher configuration tool for R80.x Gateways

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-02-27 12:58 AM
In response to HeikoAnkenbrand
Jump to solution

Yes, very true ! It is the two other SKs that concern pure SMS.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
genisis__
MVP Silver
MVP Silver
‎2021-06-24 01:22 AM
In response to HeikoAnkenbrand
Jump to solution

Here is what I did:

clear
ls -l /web/templates/httpd-ssl.conf.templ
#Note: Above just confirms permissions set back to read-only.
cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_ORIGINAL
chmod u+w /web/templates/httpd-ssl.conf.templ
sed -i 's/SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5/SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:!RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1/g' /web/templates/httpd-ssl.conf.templ
sed -i 's/SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2/SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}TLSv1.2 +TLSv1.3/g' /web/templates/httpd-ssl.conf.templ
chmod u-w /web/templates/httpd-ssl.conf.templ
/bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active
tellpm process:httpd2
tellpm process:httpd2 t
ls -l /web/templates/httpd-ssl.conf.templ
#Note: Above just confirms permissions set back to read-only.

I then ran an sslscan against the IP which resulted in only TLSv1.3 being seen.

Testing SSL server aa.bb.cc.dd on port 443 using SNI name aa.bb.cc.dd

SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 disabled
TLSv1.3 enabled

TLS Fallback SCSV:
Server supports TLS Fallback SCSV

TLS renegotiation:
Session renegotiation not supported

TLS Compression:
Compression disabled

Heartbleed:
TLSv1.3 not vulnerable to heartbleed

Supported Server Cipher(s):
Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253

Server Key Exchange Group(s):
TLSv1.3 128 bits secp256r1 (NIST P-256)
TLSv1.3 192 bits secp384r1 (NIST P-384)
TLSv1.3 260 bits secp521r1 (NIST P-521)
TLSv1.3 128 bits x25519
TLSv1.3 224 bits x448

 

What I'm not sure about is if this procedure would need to run again after updating the jumbo.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events