This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JasMan
Contributor
‎2025-04-07 07:26 AM
Jump to solution

CheckPoint SSL bypass not working (previously "... Proxy downgrades TLS version")

Hi all,

We're having a strange behaviour on one of our firewalls.

Users trying to open the website https://go.sospes.com over Checkpoint proxy with HTTPS inspection enabled. But the connection times out.

I run a packet capture on the LAN and WAN interfaces and noticed that the client request is TLSv1.2 and the request on the WAN side TLSv1.0.
I'm sure that the destinatin blocks deprecated protocols like TLSv1 and thats why the users get a timeout.

But why downgrades the firewall the TLS version? It seems that this only happens for this website.

Current version: R81.10 JHF Take 174

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-04-07 09:58 AM
Jump to solution

Performing TLS Inspection for TLS 1.3 requires USFW mode to be enabled.
See: https://support.checkpoint.com/results/sk/sk167052 
Otherwise, the system will downgrade to TLS 1.2.
Since we're starting with TLS 1.2, that isn't the case here.

If this TLSv1 connection occurs from the gateway right after the user initiates the connection, this would be the SNI verification step that is sending it.
Not sure there's a way to tune that, which suggests TAC should be involved.

View solution in original post

9 Replies
the_rock
MVP Gold
MVP Gold
‎2025-04-07 07:57 AM
Jump to solution

Is ssl inspection enabled?

Andy

0 Kudos
Lloyd_Braun
Advisor
‎2025-04-07 08:53 AM
Jump to solution

it looks like that site only support tls v1.3 with limited ciphers. not sure if usfw still required for tls v1.3 support, that was a caveat for a while. SSL Server Test: go.sospes.com (Powered by Qualys SSL Labs) 

 

ciphers supported per https://support.checkpoint.com/results/sk/sk104562

looks like usfw may be required for tlsv1.3 per https://support.checkpoint.com/results/sk/sk65123

0 Kudos
PhoneBoy
Admin
Admin
‎2025-04-07 09:58 AM
Jump to solution

Performing TLS Inspection for TLS 1.3 requires USFW mode to be enabled.
See: https://support.checkpoint.com/results/sk/sk167052 
Otherwise, the system will downgrade to TLS 1.2.
Since we're starting with TLS 1.2, that isn't the case here.

If this TLSv1 connection occurs from the gateway right after the user initiates the connection, this would be the SNI verification step that is sending it.
Not sure there's a way to tune that, which suggests TAC should be involved.

Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-04-07 02:41 PM
Jump to solution

Be aware Wireshark's report of TLS version is frequently misleading.

All TLS handshakes start with a Client Hello specifying TLSv1.0 (identifier 0x0301). There's then an offer inside the Client Hello to actually negotiate TLSv1.1 (0x0302) or TLSv1.2 (0x0303). Then there's an extension inside that which says the client actually supports TLSv1.3 (0x0304).

Until it sees a response, Wireshark shows the lowest possible version of the negotiation. That is almost guaranteed to be a false result caused by your actual problem, which is not getting the Server Hello.

JasMan
Contributor
‎2025-04-08 05:46 AM
In response to Bob_Zimmerman
Jump to solution

You're right. I totaly forgot about this. That's why I wrongly identified it as a TLSv1 request. 😬

We were able to find the reason for the issue.

The site is excluded from HTTPS inspection on all our firewalls. But the rule doesn't match anymore on one firewall since last week.

The last exception logs reportet log

We've created a new rule for the bypass below the non-working rule to solve the issue.

Now we're trying to identify why the global rule is not matching on one firewall.

The last matching log entries for that firewall show an error:

"The probe detected that this destination cannot be inspected and its identity cannot be verified due to a TLS alert (TLS alert: protocol_version)"

After about 20 of this errors no more HTTP inspection logs where generated for this firewall and website.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-04-08 05:59 AM
In response to JasMan
Jump to solution

FWIW, I know its recommended to keep any any bypass at end of ssl inspection policy, but I always do any any inspect and works real well.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2025-04-08 06:51 AM
In response to Bob_Zimmerman
Jump to solution

Today I learned. 🙂

the_rock
MVP Gold
MVP Gold
‎2025-04-08 06:58 AM
In response to PhoneBoy
Jump to solution

I bet our friend behind tcpdump101 may had not had know that either, will ask him : - )

Andy

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-04-08 08:07 AM
In response to PhoneBoy
Jump to solution

Here's a screenshot of a negotiation I just caught demonstrating this:

A packet capture of a connection to 1.1.1.1. A Client Hello is selected. It shows handshake version TLSv1.0, handshake protocol client hello version TLSv1.2, then extension: supported versions with support for TLSv1.3.A packet capture of a connection to 1.1.1.1. A Client Hello is selected. It shows handshake version TLSv1.0, handshake protocol client hello version TLSv1.2, then extension: supported versions with support for TLSv1.3.

Incidentally, SSLv3 is protocol 0x0300, so TLSv1.0 is SSLv3.1. The actual implementation details of TLS are deeply irritating. I'm glad somebody else develops the libraries to deal with it.

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events