- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- TLS v1.2 not implemented?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TLS v1.2 not implemented?
Hello Community,
one of our clients was upgraded from Windows 7 to Windows 10 Build 1803. After that he couldn´t start R80.10 SmartDashboard anymore with the following error displayed:
Could not establish secure channel for SSL/TLS with authority << MGMT-IP >>:19009"
After a short search we found an related skArticle: sk121353
Here we found the cause:
The user has disabled TLS lower than TLS1.2 on the system where the SmartConsole is installed.
And the solution:
Currently, TLS ciphers lower than TLS1.2 are needed to connect from Smart Console to a MDS or Security Management.
Therefore, Check Point has not yet implemented TLS v1.2 for the really critical connection between Management-Client and Management-Server!
TLS v1.2 was officially announced 2008 - 10 Years now. TLS v1.0 and TLS v1.1 are unsafe and almost deprecated:
Deprecating TLS 1.0 & 1.1 | DigiCert Blog
Why hasn´t Check Point implemented TLS v1.2 for this critical connection? When will it be implemented (we are talking about R80.10 here)? And when will TLS v1.3 be implemented then, which should be officially announced in 2018?
I hope someone can give me a statement about this, as this problem will arise at customers who will change to newest Windows 10. I can´t give them a explanation why Check Point still hasn´t implemented TLS v1.2 for this critical connection.
Thanks and best regards,
Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for bringing this up! This issue has been brought up in several security podcasts as well. Unfortunately CP is behind the competition here and this could be a deal breaker when new customers are selecting their security platform. I too am looking forward to an answer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would be nice to know if it applies to r80.20 too
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the general case: TLS1.2 Support Plan for Check Point Products
For this specific case, it seems that we addressed this in an R80.10 Jumbo Hotfix (Take 103 and above) and SmartConsole R80.10 build 042 and above.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Dameon - Thanks for answering, but I can´t see this information for R80.10 in sk107166. There I can see:
SmartConsole -> Contact Check Point Support to get an improved SmartConsole R77.30 that connects to
Management Server with Take 266 of R77.30 Jumbo Hotfix.
But nothing about R80.10, or where do I need to have a look?
Other question would be, if it was solved in R77.30 (Take 266), why is R80.10 still using pretty old TLSv1.0?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are two issues here:
- The fact that SmartConsole doesn't work when TLS<1.2 is disabled--that's fixed as I described and you can find references in the relevant Jumbo Hotfix SK (related bug PMTR-2666).
- The fact Port 19009 appears to be using TLS 1.0, which I'm assuming is the real issue you're raising.
In reality, this is a non-issue for a couple of reasons:
- Port 19009 is not a general purpose web server used by a general purpose web client--it is specific to Check Point and SmartConsole R80.x.
- Once the initial connection is made to this port and the admin approves the certificate hash, SmartConsole "pins" the relevant certificate and will only accept that certificate.
- Certificate-based authentication (with pinning) definitely mitigates many potential issues with TLS.
- We've definitely audited source code for the relevant vulnerabilities, as documented here: Status of OpenSSL CVEs
Hope that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that really helped - especially the certificate pinning is the game changer here.
Thanks for your answers and informations.
