This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex-
MVP Silver
MVP Silver
‎2020-03-19 01:34 AM
Jump to solution

MOB and MAC OS X - Don't use TLS 1.2 only

Cluster of 4800 8GB running R80.30 Take 155 distributed.

No issues running VPN with all kind of Windows PC (Windows client, SSL Extender), but as soon as Mac's stepped in they were unable to launch SNX (would pop up then immediately disconnect) and the VPN client would fail at the site creation. No drops seen in FW logs from the public IP of the client to the public IP of the cluster.

No issues with the same users on the PC systems. After investigation it turned out that cipher_util was used to allow only TLS 1.2 ciphers on primary gateway, but not yet on secondary. Doing a failover solved the issue and Mac OS can now use the client or SNX.

I quickly had a look and don't see this limitation in the release notes or the known limitations, but it works and for now that's all we ask of the system.

So it's a n FYI in case you would suddenly need to support MAC VPN on your TLS 1.2-only MOB and wonder why nothing is working.

0 Kudos
1 Solution

Accepted Solutions
Alex-
MVP Silver
MVP Silver
‎2020-03-24 01:20 PM
In response to PhoneBoy
Jump to solution

I checked with TAC and you need to support the following suites:

 

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5

I've added the AES ones back and both the client and SNX work now.

Actually, reading the RFCTLS_RSA_WITH_AES_128_CBC_SHA is mandatory to be supported in TLS 1.2

View solution in original post

3 Replies
PhoneBoy
Admin
Admin
‎2020-03-21 05:28 PM
Jump to solution

My understanding is this should work.
Otherwise this SK wouldn't be a thing: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
I recommend opening a TAC case to investigate why this isn't working.
0 Kudos
Alex-
MVP Silver
MVP Silver
‎2020-03-24 01:20 PM
In response to PhoneBoy
Jump to solution

I checked with TAC and you need to support the following suites:

 

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5

I've added the AES ones back and both the client and SNX work now.

Actually, reading the RFCTLS_RSA_WITH_AES_128_CBC_SHA is mandatory to be supported in TLS 1.2

Realeboga_Mashi
Contributor
‎2021-03-14 08:42 AM
In response to Alex-
Jump to solution

Thanks @Alex-, in my case I only enabled "TLS_RSA_WITH_AES_256_CBC_SHA" and the MAC clients were able to login once more.

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events