Solved: TLS1.0 on appliance management portals

3d150n · ‎2021-10-14

Hello Guys
After a vulnerability scan on the management network, it was discovered that the web portals of the Management Server r80.40 are accepting TLS1.0
We have applied sk147272: Vulnerability scan shows that Gaia Portal supports SSL medium strength cipher suites and disabled the TLS1.0 and TLS1.1 from the web portals that run on port 443
As this is a management server, it has the certificate authority running, so there is the ICA Management Tool running on port 18265 and still accepting TLS1.0
Do you know what configuration file I have to change in order to disable TLS1.0 for the web server on port 18265 that holds the ICA Management Tool?
Thanks in advance
Edison

Ethan_Schorer · ‎2021-10-18

@genisis__ ,

In order to revert the change - it is more correct to delete the registry key.

So to recap, in order to enforce the use of a minimum version of TLSv1.2:

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CKPSSL_MIN_TLS_VERSION TLS1.2

and then restart the services (cpstop ; cpstart).

In order to revert the change, run:

ckp_regedit -d SOFTWARE\\CheckPoint\\FW1 CKPSSL_MIN_TLS_VERSION

and then restart the services (cpstop ; cpstart).

This procedure needs to be done on every gateway/management machine separately.

View solution in original post

PhoneBoy · ‎2021-10-16

The ICA Management Tool is off by default and, if I understand the various SKs, should be disabled when you are not using it.
That said, seems reasonable we should be able to disable TLS 1.0.
@Ethan_Schorer is this something you can help with?

genisis__ · ‎2021-10-17

Is TLS 1.0 even still used in R81.x? I would have though this should be removed by now and have a minimum version of TLSv1.2 but prefer TLSv1.3.

Ethan_Schorer · ‎2021-10-17

Hi @3d150n ,

You can follow the guidelines in sk121356 for setting the minimum to TLSv1.2 (I know the SK is about TE - but it affects this portal as well - I'm working on updating the SK).

Basically, this is what needs to be run in Expert mode:

[Expert@GW]# ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CKPSSL_MIN_TLS_VERSION TLS1.2
[Expert@GW]# cprestart

Best regards,

Ethan

p.s. Thank you to @matangi for the guidance

genisis__ · ‎2021-10-17

Is the SK also relevant to R81.x?

Ethan_Schorer · ‎2021-10-17

Yes, @genisis__

That's one of the changes that we're putting into the SK - the supported versions.

genisis__ · ‎2021-10-17

So to recap, in order to enforce the use of a minimum version of TLSv1.2 for all SSL control connections we simply run:

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CKPSSL_MIN_TLS_VERSION TLS1.2

and then restart the services.

Additionally if we wanted to revert the change then we would paste the below?

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CKPSSL_MIN_TLS_VERSION TLS1.0

Also is this procedure specific to the management layer or does it apply to gateways as well?

PhoneBoy · ‎2021-10-17

Pretty certain this needs to be applied on each gateway also.

Ethan_Schorer · ‎2021-10-18

@genisis__ ,

In order to revert the change - it is more correct to delete the registry key.

So to recap, in order to enforce the use of a minimum version of TLSv1.2:

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CKPSSL_MIN_TLS_VERSION TLS1.2

and then restart the services (cpstop ; cpstart).

In order to revert the change, run:

ckp_regedit -d SOFTWARE\\CheckPoint\\FW1 CKPSSL_MIN_TLS_VERSION

and then restart the services (cpstop ; cpstart).

This procedure needs to be done on every gateway/management machine separately.

genisis__ · ‎2021-10-18

Would suggest the back-out procedure is also included in the SK.

3d150n · ‎2021-10-18

@Ethan_Schorerjust one last thing:

is there any way to disable 3des from the ciphers?

Best regards

root@tester:~# nmap --script ssl-enum-ciphers -p 18265 aa.bb.cc.dd
Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-18 16:20 UTC
Nmap scan report for aa.bb.cc.dd
Host is up (0.00027s latency).

Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds
root@tester:~#

Ethan_Schorer · ‎2021-10-19

Hi @3d150n ,

Please see our response to Sweet32 attack at sk113114 (and why we aren't vulnerable).

If you want to disable, the instructions are in the SK (I believe for this port you should follow the section labeled "instructions for HTTPS Inspection, Identity Awareness Portal, ICA Portal, SmartManagement Portal, SecurePlatform WebUI")

Ethan

3d150n · ‎2021-10-19

Thank you very much to all the community

both registry keys (from sk121356 and sk113114) helped me to fix the issue. There are not any new discovery from the security scanner

Ethan_Schorer · ‎2021-10-25

This is now documented in sk121356:

https://supportcontent.checkpoint.com/solutions?id=sk121356

genisis__ · ‎2021-10-25

Can I confirm the procedure is also the same for MDSM? ie. switch into the DMS then run the procedure, or run from the main starting point?

genisis__ · ‎2021-10-17

I posted this a while back, but you could try this:

Here is what I did:

clear
ls -l /web/templates/httpd-ssl.conf.templ
#Note: Above just confirms permissions set back to read-only.
cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_ORIGINAL
chmod u+w /web/templates/httpd-ssl.conf.templ
sed -i 's/SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5/SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:!RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1/g' /web/templates/httpd-ssl.conf.templ
sed -i 's/SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2/SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}TLSv1.2 +TLSv1.3/g' /web/templates/httpd-ssl.conf.templ
chmod u-w /web/templates/httpd-ssl.conf.templ
/bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active
tellpm process:httpd2
tellpm process:httpd2 t
ls -l /web/templates/httpd-ssl.conf.templ
#Note: Above just confirms permissions set back to read-only.

I then ran an sslscan against the IP which resulted in only TLSv1.3 being seen.

Testing SSL server aa.bb.cc.dd on port 443 using SNI name aa.bb.cc.dd

SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 disabled
TLSv1.3 enabled

TLS Fallback SCSV:
Server supports TLS Fallback SCSV

TLS renegotiation:
Session renegotiation not supported

TLS Compression:
Compression disabled

Heartbleed:
TLSv1.3 not vulnerable to heartbleed

Supported Server Cipher(s):
Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253

Server Key Exchange Group(s):
TLSv1.3 128 bits secp256r1 (NIST P-256)
TLSv1.3 192 bits secp384r1 (NIST P-384)
TLSv1.3 260 bits secp521r1 (NIST P-521)
TLSv1.3 128 bits x25519
TLSv1.3 224 bits x448

What I'm not sure about is if this procedure would need to run again after updating the jumbo.

3d150n · ‎2021-10-18

Hi @genisis__

I have already done this procedure as descibed on sk147272 but it only affects the web server on port 443

Regards

Edison

John_Richards · ‎2022-06-14

Is there a difference between sk147272 and sk154532 related to TLS? 532 seems like an easier way to disable TLS1.0.

PhoneBoy · ‎2022-06-15

If you're just concerned about TLS 1.2, then sk154532 is adequate.
If you need to adjust further (e.g. only certain ciphers be enabled) then you need sk147272.

Are you a member of CheckMates?

TLS1.0 on appliance management portals