Re: SSL Ciphers Mobile Access Portal

Thomas_Bennek · ‎2018-11-29

Hello everyone,

for the connection to the Mobile Access Portal we want to use strong ciphers and therefore used "vpn_cipher_priority.conf" in R80.10 to allow only secure ciphers.

For example:

# more /opt/CPshrd-R80/conf/vpn_cipher_priority.conf

(

:allowed (

: (TLS_DHE_RSA_WITH_AES_128_CBC_SHA256)

)

:forbidden (

: (TLS_RSA_WITH_AES_256_CBC_SHA)

: (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384)

: (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)

: (TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)

: (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384)

: (TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384)

: (TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)

: (TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA)

: (TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA)

: (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)

: (TLS_SRP_SHA_WITH_AES_256_CBC_SHA)

: (TLS_DHE_DSS_WITH_AES_256_GCM_SHA384)

: (TLS_DHE_RSA_WITH_AES_256_GCM_SHA384)

: (TLS_DHE_DSS_WITH_AES_256_CBC_SHA256)

: (TLS_DHE_RSA_WITH_AES_256_CBC_SHA)

: (TLS_DHE_DSS_WITH_AES_256_CBC_SHA)

: (TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)

: (TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA)

: (TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384)

: (TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384)

: (TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384)

: (TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384)

: (TLS_ECDH_RSA_WITH_AES_256_CBC_SHA)

: (TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA)

: (TLS_RSA_WITH_AES_256_GCM_SHA384)

: (TLS_RSA_WITH_AES_256_CBC_SHA256)

: (TLS_RSA_WITH_CAMELLIA_256_CBC_SHA)

: (TLS_PSK_WITH_AES_256_CBC_SHA)

: (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)

: (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)

: (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)

: (TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256)

: (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)

: (TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)

: (TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA)

: (TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA)

: (TLS_SRP_SHA_WITH_AES_128_CBC_SHA)

: (TLS_DHE_DSS_WITH_AES_128_GCM_SHA256)

: (TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)

: (TLS_DHE_DSS_WITH_AES_128_CBC_SHA256)

: (TLS_DHE_RSA_WITH_AES_128_CBC_SHA)

: (TLS_DHE_DSS_WITH_AES_128_CBC_SHA)

: (TLS_DHE_RSA_WITH_SEED_CBC_SHA)

: (TLS_DHE_DSS_WITH_SEED_CBC_SHA)

: (TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)

: (TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA)

: (TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256)

: (TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256)

: (TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256)

: (TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256)

: (TLS_ECDH_RSA_WITH_AES_128_CBC_SHA)

: (TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA)

: (TLS_RSA_WITH_AES_128_GCM_SHA256)

: (TLS_RSA_WITH_AES_128_CBC_SHA256)

: (TLS_RSA_WITH_AES_128_CBC_SHA)

: (TLS_RSA_WITH_SEED_CBC_SHA)

: (TLS_RSA_WITH_CAMELLIA_128_CBC_SHA)

: (TLS_RSA_WITH_IDEA_CBC_SHA)

: (TLS_PSK_WITH_AES_128_CBC_SHA)

: (TLS_ECDHE_RSA_WITH_RC4_128_SHA)

: (TLS_ECDHE_ECDSA_WITH_RC4_128_SHA)

: (TLS_ECDH_RSA_WITH_RC4_128_SHA)

: (TLS_ECDH_ECDSA_WITH_RC4_128_SHA)

: (TLS_RSA_WITH_RC4_128_SHA)

: (SSL_CK_RC4_128_WITH_MD5)

: (TLS_PSK_WITH_RC4_128_SHA)

: (TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA)

: (TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA)

: (TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA)

: (TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA)

: (TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA)

: (TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)

: (TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA)

: (TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA)

: (TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA)

: (SSL_CK_DES_192_EDE3_CBC_WITH_SHA)

: (TLS_PSK_WITH_3DES_EDE_CBC_SHA)

: (TLS_DHE_RSA_WITH_DES_CBC_SHA)

: (TLS_DHE_DSS_WITH_DES_CBC_SHA)

: (TLS_RSA_WITH_DES_CBC_SHA)

: (TLS_RSA_WITH_RC4_128_MD5)

: (TLS_RSA_WITH_3DES_EDE_CBC_SHA)

: (TLS_DHE_RSA_WITH_AES_256_CBC_SHA256)

)

After configuring the priority list, the allowed cipher hasn´t worked, the configuration is set to "default" because the one allowed cipher is not supported.(shown in vpn debug)

Check Point Support said, only ciphers in the following sk are supported sk108426, but they are all SHA-1 or MD5 ciphers, which are definitly insecure.

But, opening the Mobile Access Portal with default list configured, uses a strong AES_128_GCM Cipher:

The connection to this site is encrypted and authenticated using TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_128_GCM (a strong cipher).

Answer from Support:

"I understand your disappointment, however if the customer would like to use other ciphers other then TLS RSA, this would require opening an RFE through your local office. Unfortunately at this point I will proceed to close the case snce we as support cannot further assist."

Could this really be true, Check Point only supports SHA-1 and MD5 ciphers for Mobile Access Portal? And we need to generate a RFE for changing this?

Support said: <snip> however if the customer would like to use other ciphers other then TLS RSA</snip> but the configured allowed cipher is a TLS RSA cipher: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

But in the end, if only SHA-1 and MD5 ciphers are supported, why will the default configuration use a cipher which is not supported, because it is not listed in the skArticle?

Can anyone help me figuring out which strong ciphers are working with mobile access portal and how I can force it to use only these ciphers? The support seems not to be able to.

Thanks!

_Val_ · ‎2019-05-07

@AndreiR could you please help here?

Thanks

Thomas_Bennek · ‎2019-05-28

Hi all,

help would really be appreciated.

Best regads,

Thomas

Thomas_Bennek · ‎2019-07-15

Hi all,

problem was solved in current R80.20 Release.

Are you a member of CheckMates?

SSL Ciphers Mobile Access Portal