Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tobias_Moritz
Advisor

Log Exporter and TLS with ECC -> not implemented

Hello CheckMates,

the last weeks, I had a hard fight with the Log Exporter and TLS configuration.

I post this today, to help other Check Mates not to waste the same amount of time. And to get some clarification from R&D at best.

I read all the documentation, set all the cert stuff correctly and did not face the issues the other Check Mates threads regarding Log Exporter and TLS were about.

But it did not work.

More precisely: I saw a full TCP handshake in packet trace (so network communication was fine) and then the Log Exporter closed the TCP session with TCP-FIN. There was no attempt made to open a TLS session inside that opened TCP session.

Normally Log Exporter should send a TLS client hello to initiate it.

TLS can fail afterwards due to various configuration mistakes you can do on client or server side or just due to incompatible ciphers, but without even a TLS client hello, the problem source is obviously the Log Exporter.

Checking the debug log file did not help. The last lines visible were:

[4127075136][8 Feb 17:49:55] TcpTlsSender::MakeConnection:Certificate initiated OK
[4127075136][8 Feb 17:49:55] TcpTlsSender::MakeConnection:CA initiated OK
[4127075136][8 Feb 17:49:55] TcpTlsSender::MakeConnection: create ckpSSLparams_New succeeded

After that, the Log Exporter process just terminated itself.

That was not helpful at all.

I've checked a manual TLS handshake from SMS to Log Server:

[Expert@SMS:0]# cpopenssl s_client -connect 10.10.10.10:54321 -cert /path/cert.pem -key /path/key.pem -state -debug

and this worked. So no connectivity problems and also no problems with my cert and key (because the server accepted my client cert). Also no cipher compatibility issues. This means when I find out, why Log Exporter is crashing (without error log) before even starting TLS handshake, everything should work.

Because I did not had any idea anymore, I opened a TAC case.

Well, this was not helpfull at all. After all the information above (including log file and packet trace) was put in the initial case description, TAC insisted of a network connectitivy problem to be the cause for the issue. This, of course, did not make sense.

After some long discussion, TAC asked if we used the exact same commands like in the admin guide (or sk) example to create cert, CA and keys. Of course we did not. These are examples using even some legacy crypto options and nothing we can use in production.

But then I tried it (just for curiosity) and: it worked. Wondering what happend here, I had an idea.

Maybe Check Point has some own TLS code in Log Exporter and not using the already available industry standard code on GAIA with quite modern crypto support (OpenSSL) which is used by many other Check Point binaries on that very same SMS.

And that was true, unfortunatly. When using the example from Admin Guide and only changing legacy RSA keys to ECC keys, it stopped working and the symptoms were the same, like in my case.

I confronted TAC with that, and the answer was again, not helpful and just wrong:

R80.40 Log Exporter does not support TLS 1.2 (only TLS), while R81.20 does. That's why ECC is not working.

That' wrong on two levels:

1. R80.40 Log Exporter uses TLS 1.2 (even 1.3 is offered in TLS Client Hello). That is even visible in the packet trace I provided.

2. Even with TLS 1.0, ECC is possible.

When asked where if we can configure Log Exporter to support ECC and where this limitation is documented, we just got the answer, that the example in admin is not an example and it only works that way. It is not planned to change that.

Because all other things this TAC engineer said were wrong, I'm not sure if I can trust this answer.

@PhoneBoy : Any idea about Log Exporter and TLS with ECC? I know that was the team leader for Log Exporter at R&D, but he do not work for Check Point anymore. Who can I ask?

In my country, the regularity rules allow use of RSA keys in TLS for legacy products for a few more years (was recently extended), but this will for sure end and should we really call Check Point Log Exporter a legacy product? What is the successor?

Maybe this post helps someone and maybe I get some more insights here.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

Personally, I'm not familiar with this limitation.
I also don't see any documentation on this, either, so I'll ask around 🙂

PhoneBoy
Admin
Admin

I confirmed with R&D that TLS with ECC currently isn't currently supported with Log Exporter.
We'll update the SK accordingly so it's clear.
If you require this, I recommend reaching out to your local Check Point office. 

0 Kudos
Tobias_Moritz
Advisor

Thank you for clarification, Dameon.

It's sad to hear this outcome, of course.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events