Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Silver

MOB and MAC OS X - Don't use TLS 1.2 only

Jump to solution

Cluster of 4800 8GB running R80.30 Take 155 distributed.

No issues running VPN with all kind of Windows PC (Windows client, SSL Extender), but as soon as Mac's stepped in they were unable to launch SNX (would pop up then immediately disconnect) and the VPN client would fail at the site creation. No drops seen in FW logs from the public IP of the client to the public IP of the cluster.

No issues with the same users on the PC systems. After investigation it turned out that cipher_util was used to allow only TLS 1.2 ciphers on primary gateway, but not yet on secondary. Doing a failover solved the issue and Mac OS can now use the client or SNX.

I quickly had a look and don't see this limitation in the release notes or the known limitations, but it works and for now that's all we ask of the system.

So it's a n FYI in case you would suddenly need to support MAC VPN on your TLS 1.2-only MOB and wonder why nothing is working.

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Silver

I checked with TAC and you need to support the following suites:

 

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5

I've added the AES ones back and both the client and SNX work now.

Actually, reading the RFCTLS_RSA_WITH_AES_128_CBC_SHA is mandatory to be supported in TLS 1.2

View solution in original post

0 Kudos
2 Replies
Highlighted
Admin
Admin
My understanding is this should work.
Otherwise this SK wouldn't be a thing: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
I recommend opening a TAC case to investigate why this isn't working.
0 Kudos
Highlighted
Silver

I checked with TAC and you need to support the following suites:

 

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5

I've added the AES ones back and both the client and SNX work now.

Actually, reading the RFCTLS_RSA_WITH_AES_128_CBC_SHA is mandatory to be supported in TLS 1.2

View solution in original post

0 Kudos