Solved: Disable Weak Ciphers for Smart-1

CyberBreaker · ‎2020-02-26

Hello Guys,

I believed it is possible to disable weak ciphers for the security gateway but how about for the security management (smart-1)? I searched over the some data but I always saw the procedure for the security gateways.

Anyone here knows how to disable weak ciphers for smart-1?

Thank you very much for the great help.

HeikoAnkenbrand · ‎2020-02-26

Hi @CyberBreaker,

Use the following comand to see all posible ciphers:

# cpopenssl ciphers -v 'HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5'

1) Back up the current /web/templates/httpd-ssl.conf.templ file:

# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_backup

2) Assign the 'write' permission to the file:

# ls -l /web/templates/httpd-ssl.conf.templ

# chmod u+w /web/templates/httpd-ssl.conf.templ

# ls -l /web/templates/httpd-ssl.conf.templ

3) Edit the current /web/templates/httpd-ssl.conf.templ file:

[Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ

>>> In the section "SSL Cipher Suite" change the chihper:

# SSL Cipher Suite:
# Add your chiper:

SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256- SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

4) Restart the httpd
# tellpm process:httpd2

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

HeikoAnkenbrand · ‎2020-02-26

Hi @CyberBreaker,

Use the following comand to see all posible ciphers:

# cpopenssl ciphers -v 'HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5'

1) Back up the current /web/templates/httpd-ssl.conf.templ file:

# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_backup

2) Assign the 'write' permission to the file:

# ls -l /web/templates/httpd-ssl.conf.templ

# chmod u+w /web/templates/httpd-ssl.conf.templ

# ls -l /web/templates/httpd-ssl.conf.templ

3) Edit the current /web/templates/httpd-ssl.conf.templ file:

[Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ

>>> In the section "SSL Cipher Suite" change the chihper:

# SSL Cipher Suite:
# Add your chiper:

SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256- SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1

4) Restart the httpd
# tellpm process:httpd2

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

CyberBreaker · ‎2020-02-26

Hi @HeikoAnkenbrand ,

Thanks for the help, I will try this.

Is this for HTTPS and SSH as well? Is there's SK document for this one?

Thanks

G_W_Albrecht · ‎2020-02-26

sk126613: Cipher configuration tool for R80.x Gateways

sk147272: Vulnerability scan shows that Gaia Portal supports SSL medium strength cipher suites

sk163542: How to list the current active TLS version supported on Gaia appliances

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

HeikoAnkenbrand · ‎2020-02-26

Hi @G_W_Albrecht ,

this sk is only for gatways not for SMS.

sk126613: Cipher configuration tool for R80.x Gateways

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

G_W_Albrecht · ‎2020-02-27

Yes, very true ! It is the two other SKs that concern pure SMS.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

genisis__ · ‎2021-06-24

Here is what I did:

clear
ls -l /web/templates/httpd-ssl.conf.templ
#Note: Above just confirms permissions set back to read-only.
cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_ORIGINAL
chmod u+w /web/templates/httpd-ssl.conf.templ
sed -i 's/SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5/SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:!RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1/g' /web/templates/httpd-ssl.conf.templ
sed -i 's/SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2/SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}TLSv1.2 +TLSv1.3/g' /web/templates/httpd-ssl.conf.templ
chmod u-w /web/templates/httpd-ssl.conf.templ
/bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active
tellpm process:httpd2
tellpm process:httpd2 t
ls -l /web/templates/httpd-ssl.conf.templ
#Note: Above just confirms permissions set back to read-only.

I then ran an sslscan against the IP which resulted in only TLSv1.3 being seen.

Testing SSL server aa.bb.cc.dd on port 443 using SNI name aa.bb.cc.dd

SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 disabled
TLSv1.3 enabled

TLS Fallback SCSV:
Server supports TLS Fallback SCSV

TLS renegotiation:
Session renegotiation not supported

TLS Compression:
Compression disabled

Heartbleed:
TLSv1.3 not vulnerable to heartbleed

Supported Server Cipher(s):
Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253

Server Key Exchange Group(s):
TLSv1.3 128 bits secp256r1 (NIST P-256)
TLSv1.3 192 bits secp384r1 (NIST P-384)
TLSv1.3 260 bits secp521r1 (NIST P-521)
TLSv1.3 128 bits x25519
TLSv1.3 224 bits x448

What I'm not sure about is if this procedure would need to run again after updating the jumbo.

Are you a member of CheckMates?

Disable Weak Ciphers for Smart-1