Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Thomas_Bennek
Participant

SSL Ciphers Mobile Access Portal

Hello everyone,

for the connection to the Mobile Access Portal we want to use strong ciphers and therefore used "vpn_cipher_priority.conf" in R80.10 to allow only secure ciphers.

For example:

# more /opt/CPshrd-R80/conf/vpn_cipher_priority.conf

(

                 :allowed (

                                                                :                       (TLS_DHE_RSA_WITH_AES_128_CBC_SHA256)

                 )

                 :forbidden          (

                                                                :                       (TLS_RSA_WITH_AES_256_CBC_SHA)

                                                                :                       (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384)

                                                                :                       (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)

                                                                :                       (TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)

                                                                :                       (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384)

                                                                :                       (TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384)

                                                                :                       (TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)

                                                                :                       (TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA)

                                                                :                       (TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA)

                                                                :                       (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)

                                                                :                       (TLS_SRP_SHA_WITH_AES_256_CBC_SHA)

                                                                :                       (TLS_DHE_DSS_WITH_AES_256_GCM_SHA384)

                                                                :                       (TLS_DHE_RSA_WITH_AES_256_GCM_SHA384)

                                                                :                       (TLS_DHE_DSS_WITH_AES_256_CBC_SHA256)

                                                                :                       (TLS_DHE_RSA_WITH_AES_256_CBC_SHA)

                                                                :                       (TLS_DHE_DSS_WITH_AES_256_CBC_SHA)

                                                                :                       (TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)

                                                                :                       (TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA)

                                                                :                       (TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384)

                                                                :                       (TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384)

                                                                :                       (TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384)

                                                                :                       (TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384)

                                                                :                       (TLS_ECDH_RSA_WITH_AES_256_CBC_SHA)

                                                                :                       (TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA)

                                                                :                       (TLS_RSA_WITH_AES_256_GCM_SHA384)

                                                                :                       (TLS_RSA_WITH_AES_256_CBC_SHA256)

                                                                :                       (TLS_RSA_WITH_CAMELLIA_256_CBC_SHA)

                                                                :                       (TLS_PSK_WITH_AES_256_CBC_SHA)

                                                                :                       (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)

                                                                :                       (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)

                                                                :                       (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)

                                                                :                       (TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256)

                                                                :                       (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)

                                                                :                       (TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)

                                                                :                       (TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA)

                                                                :                       (TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA)

                                                                :                       (TLS_SRP_SHA_WITH_AES_128_CBC_SHA)

                                                                :                       (TLS_DHE_DSS_WITH_AES_128_GCM_SHA256)

                                                                :                       (TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)

                                                                :                       (TLS_DHE_DSS_WITH_AES_128_CBC_SHA256)

                                                                :                       (TLS_DHE_RSA_WITH_AES_128_CBC_SHA)

                                                                :                       (TLS_DHE_DSS_WITH_AES_128_CBC_SHA)

                                                                :                       (TLS_DHE_RSA_WITH_SEED_CBC_SHA)

                                                                :                       (TLS_DHE_DSS_WITH_SEED_CBC_SHA)

                                                                :                       (TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)

                                                                :                       (TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA)

                                                                :                       (TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256)

                                                                :                       (TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256)

                                                                :                       (TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256)

                                                                :                       (TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256)

                                                                :                       (TLS_ECDH_RSA_WITH_AES_128_CBC_SHA)

                                                                :                       (TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA)

                                                                :                       (TLS_RSA_WITH_AES_128_GCM_SHA256)

                                                                :                       (TLS_RSA_WITH_AES_128_CBC_SHA256)

                                                                :                       (TLS_RSA_WITH_AES_128_CBC_SHA)

                                                                :                       (TLS_RSA_WITH_SEED_CBC_SHA)

                                                                :                       (TLS_RSA_WITH_CAMELLIA_128_CBC_SHA)

                                                                :                       (TLS_RSA_WITH_IDEA_CBC_SHA)

                                                                :                       (TLS_PSK_WITH_AES_128_CBC_SHA)

                                                                :                       (TLS_ECDHE_RSA_WITH_RC4_128_SHA)

                                                                :                       (TLS_ECDHE_ECDSA_WITH_RC4_128_SHA)

                                                                :                       (TLS_ECDH_RSA_WITH_RC4_128_SHA)

                                                                :                       (TLS_ECDH_ECDSA_WITH_RC4_128_SHA)

                                                                :                       (TLS_RSA_WITH_RC4_128_SHA)

                                                                :                       (SSL_CK_RC4_128_WITH_MD5)

                                                                :                       (TLS_PSK_WITH_RC4_128_SHA)

                                                                :                       (TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA)

                                                                :                       (TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA)

                                                                :                       (TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA)

                                                                :                       (TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA)

                                                                :                       (TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA)

                                                                :                       (TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)

                                                                :                       (TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA)

                                                                :                       (TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA)

                                                                :                       (TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA)

                                                                :                       (SSL_CK_DES_192_EDE3_CBC_WITH_SHA)

                                                                :                       (TLS_PSK_WITH_3DES_EDE_CBC_SHA)

                                                                :                       (TLS_DHE_RSA_WITH_DES_CBC_SHA)

                                                                :                       (TLS_DHE_DSS_WITH_DES_CBC_SHA)

                                                                :                       (TLS_RSA_WITH_DES_CBC_SHA)

                                                                :                       (TLS_RSA_WITH_RC4_128_MD5)

                                                                :                       (TLS_RSA_WITH_3DES_EDE_CBC_SHA)

                                                                :                       (TLS_DHE_RSA_WITH_AES_256_CBC_SHA256)

                        )

)

After configuring the priority list, the allowed cipher hasn´t worked, the configuration is set to "default" because the one allowed cipher is not supported.(shown in vpn debug)

Check Point Support said, only ciphers in the following sk are supported sk108426, but they are all SHA-1 or MD5 ciphers, which are definitly insecure.

But, opening the Mobile Access Portal with default list configured, uses a strong AES_128_GCM Cipher:

The connection to this site is encrypted and authenticated using TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_128_GCM (a strong cipher).

Answer from Support:

"I understand your disappointment, however if the customer would like to use other ciphers other then TLS RSA, this would require opening an RFE through your local office. Unfortunately at this point I will proceed to close the case snce we as support cannot further assist."

Could this really be true, Check Point only supports SHA-1 and MD5 ciphers for Mobile Access Portal? And we need to generate a RFE for changing this?

Support said: <snip> however if the customer would like to use other ciphers other then TLS RSA</snip> but the configured allowed cipher is a TLS RSA cipher: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

But in the end, if only SHA-1 and MD5 ciphers are supported, why will the default configuration use a cipher which is not supported, because it is not listed in the skArticle?

Can anyone help me figuring out which strong ciphers are working with mobile access portal and how I can force it to use only these ciphers? The support seems not to be able to.

Thanks!

3 Replies
_Val_
Admin
Admin

@AndreiR could you please help here?

 

Thanks

 

Thomas_Bennek
Participant

Hi all,

 

help would really be appreciated.

 

Best regads,

Thomas

 

0 Kudos
Thomas_Bennek
Participant

Hi all,

 

problem was solved in current R80.20 Release.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events