Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AngelS
Explorer
Jump to solution

Linux users are not able to connect to SNX after removing weak ciphers

Hi all!
After disabling some weak ciphers users on Linux and MAC are not able to connect to SSLVPN.

Firewall OS version: R81.10
User's OS: Ubuntu 22.04
SNX agent  on Users's PC: 800008304
openssl version: 3.0.2

Weak ciphers being disabled are:

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Weak ciphers were disabled according sk126613 (https://support.checkpoint.com/results/sk/sk126613#20)


All users using Windows can connect to SSLVPN, all users using Checkpoint Mobile client also can connect. (The ones using SSLVPN are not allowed to use Checkpoint Mobile client due to Compliance prerequisites - they are working with their personal PCs).

nsx.elg debug shows following 5 ciphers on nsx's ciphers list:

[ 80536 -138049728]@user[20 May 22:27:43] Cipher List:
[ 80536 -138049728]@user[20 May 22:27:43] 0: AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
[ 80536 -138049728]@user[20 May 22:27:43] 1: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
[ 80536 -138049728]@user[20 May 22:27:43] 2: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
[ 80536 -138049728]@user[20 May 22:27:43] 3: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
[ 80536 -138049728]@user[20 May 22:27:43] 4: DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

My guess is changing this list will solve the issue.
So is there any way this nsx cipher list to be changed?

Regards!

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
(1)
4 Replies
PhoneBoy
Admin
Admin

This SK says this is currently an RFE: https://support.checkpoint.com/results/sk/sk180837 

(1)
the_rock
Legend
Legend

@PhoneBoy is 100% right...had customer in the past work with TAC and they were told exact same thing, it is an RFE.

Andy

0 Kudos
(1)
Alex-
Leader Leader
Leader

I had this issue a while back. Basically there are much more methods implemented in the Windows client than in the MAC/Linux ones. At least the Mac, I haven't used the Linux yet but I would assume they're similar.

RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2 (ietf.org) section 9 defines that TLS_RSA_WITH_AES_128_CBC_SHA is mandatory and with the clients you mentioned it seems to be a limitation of non-Windows clients, by adding TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA MAC, clients could connect again.

0 Kudos
(1)
AngelS
Explorer

Thank you all! I was hoping for some easy solution (like pushing a config setting here and there 🙂 Still this perfectly explains why this issue occured. I guess we will keep these ciphers (although security scans state they are weak) at least until RFE becomes a vital SNX client option.

Cheers mates!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events