This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MaxGutberletRM
Explorer
‎2021-08-31 08:02 AM
Jump to solution

Trouble with the MACs after hardening Cypers/TLS/SSL

Hello community,

as part of PCI certification we have lately hardened our FW and removed a couple of legacy things - including e.g. support for SSLv3.

Now I have a couple of MACs who can no longer connect to the VPN - track.log looks like this:

 

[ 688 0x201c99e00][31 Aug 16:16:38][talkssl] talkssl::client_handler: start ssl negotaition

[ 688 0x201c99e00][31 Aug 16:16:38][talkssl] talkssl::client_handler: start openSSL negotaition

[ 688 0x201c99e00][31 Aug 16:16:38][] ckpSSL_PrepareConnection: verify mode: 0

[ 688 0x201c99e00][31 Aug 16:16:38][] My SSL Ciphers:

[ 688 0x201c99e00][31 Aug 16:16:38][] Cipher List:

[ 688 0x201c99e00][31 Aug 16:16:38][] 0: AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

[ 688 0x201c99e00][31 Aug 16:16:38][] 1: AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1

[ 688 0x201c99e00][31 Aug 16:16:38][] 2: RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5

[ 688 0x201c99e00][31 Aug 16:16:38][talkssl] talkssl::client_handler: Returning OK!!!

[ 688 0x201c99e00][31 Aug 16:16:38][proxy_wrapper] ProxyWrapper::CloseProxyConn: Starting ...

[ 688 0x201c99e00][31 Aug 16:16:38][proxy_wrapper] ProxyWrapper::CancelConnect: Starting ...

[ 688 0x201c99e00][31 Aug 16:16:38][proxy_wrapper] ProxyWrapper::CancelConnect: Proxy connection is in init state. Cannot cancel connection

[ 688 0x201c99e00][31 Aug 16:16:38][] ckpSSL_NegotiateStep: current state = before/connect initialization

[ 688 0x201c99e00][31 Aug 16:16:38][] ckpSSL_NegotiateStep: should retry.

[ 688 0x201c99e00][31 Aug 16:16:38][] ckpSSL_NegotiateStep: current state = SSLv2/v3 read server hello A

[ 688 0x201c99e00][31 Aug 16:16:38][] SSL e stack

[ 688 0x201c99e00][31 Aug 16:16:38][] 688:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:757

Now the obvious question: why is the MAC Client only trying to connect using SSLv3 ? Surely Is this a left over from previous configs ? We tried deinstall/install but no success.

My cypher list is now:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Any help appreciated.

Regards

MG

 

 

0 Kudos
1 Solution

Accepted Solutions
Alex-
Leader Leader
Leader
‎2021-09-06 11:58 PM
Jump to solution

Try by adding back TLS_RSA_WITH_AES_128_CBC_SHA to comply with the minimum specifications of the TLS 1.2 RFC.

I had an issue where MAC's wouldn't connect and this solved it.

As your logs show, the MAC client is expecting at least these suites:

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5

But it should do with the AES ones.

View solution in original post

(1)
3 Replies
PhoneBoy
Admin
Admin
‎2021-09-06 03:53 PM
Jump to solution

What precise client is connecting?
What precise version of it?

0 Kudos
Alex-
Leader Leader
Leader
‎2021-09-06 11:58 PM
Jump to solution

Try by adding back TLS_RSA_WITH_AES_128_CBC_SHA to comply with the minimum specifications of the TLS 1.2 RFC.

I had an issue where MAC's wouldn't connect and this solved it.

As your logs show, the MAC client is expecting at least these suites:

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5

But it should do with the AES ones.

(1)
MaxGutberletRM
Explorer
‎2021-09-08 02:45 AM
In response to Alex-
Jump to solution

This ! I re-enabled the AES-256  ciphers and it worked How do we turn this into a feature Request "MAC Client should be able to connect without RSA based cipher algorithms" ?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events