thx, for some reason I miss this one in search box - Disable-TLS-1-0

Its this - sk107744

Hi Martin, 

Thanks for you answer. I find it very strange that there is no exact SK describing how to achieve this for HTTPS inspection in general. Also there is no information about what to do, when this change is applied. For example there is no information about expected behavior... do we need to reboot the gateways for this change to be active? Is there traffic disruption? All is based on assumptions...

To be more exact on your previous answer, i assume that you mean that we have to execute the "workaround" mentioned in this SK?

Regards,

Jelle

sk126613: Cipher configuration tool for Security Gateways

Hi G_W_Albrecht,

Thanks for your response, i am aware of the cipher tool, but disabling a TLS cipher is not the same as disabling the complete tls version...

Is it possible to completely disable TLS1.0/1.1 via the cipher tool? I mean, for example; we can have the cipher string TLS_RSA_WITH_AES_128_CBC_SHA which can be used for both TLS.1.0 and TLS1.2... (LINK)

I think the cipher tool should be extended to also disable the complete protocol or a SK should be available to completely disable these protocols.

Better select which strong cipher suites should be used. TLS_RSA_WITH_AES_128_CBC_SHA is a weak cipher suite - why ?

- Non-ephemeral Key Exchange:

This key exchange algorithm does not support Perfect Forward Secrecy (PFS) which is recommended, so attackers cannot decrypt the complete communication stream.

- Cipher Block Chaining:

My current cipher selection:

SSL Inspection

Enabled:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256

Disabled:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

@G_W_Albrecht, Thanks for you answer. This gives a way to indeed get what I'm looking for. But not yet on the initial question. How do I explicitly disable TLS version 1.0/1.1 on versions higher than R77.30?

From sk107744 is this still the correct way?

1. Connect with SmartDashboard to Security Management Server / Domain Management Server.

2. Go to File menu - click on Database Revision Control... - create a revision snapshot.

   Note: Database Revision Control is not supported for VSX objects (sk65420).

3. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

4. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.

5. In the upper left pane, go to Table - Other - ssl_inspection.

6. In the upper right pane, select general_confs_obj.

7. Press CTRL+F (or go to Search menu - Find) - paste ssl_min_ver - click on Find Next.

8. In the lower pane, right-click on the ssl_min_ver - select Edit... - select "TLS1.1" - click on OK:

   

    

9. Save the changes: go to File menu - click on Save All.

10. Close the GuiDBedit Tool.

11. Connect with SmartDashboard to Security Management Server / Domain Management Server.

12. Install the policy onto the relevant Security Gateway / Cluster object.

Or do we need to use the cipher_util to implicitly disable old TLS versions to get the job done? Maybe it's my way of explaining things here but i don't seem to get 1 clear answer for this.

Anyhow, there is a existing TAC case on this 1 so ill wait what they come back with 🙂

May well be that BOTH can be used to achieve the same result - but i would rather use cipher_util instead of GuiDBedit 😎 as i can at the same time disable the weak ciphers !

Hi @_Val_ ,

FYI, I asked Martin if he could share the solution he found, as you can see above he used a snippet from a Sk107744 that is EOL... Why is it, that there doesn't seem to be a (up-to-date / on the point) valid SK about this topic?

Regards,

Jelle

Sk107744 is not applicable to later versions, there is a cipher_util for supported versions. Which is dully mentioned in that very SK

@_Val_, the cipher_util is not sufficient enough to achieve my goal if i understand this correctly.

someone can use a specific cipher for both TLS1.0/1.1 and TLS1.2. What I mean by this is that it doesn't matter if you turn certain ciphers on or off without disabling the specific versions. (A good example is disabling TLS version 1.0 via IPS where you disable the entire version) So I am looking for an SK that specifically describes how to disable the TLS1.0 and TLS.1.1 versions without having to use an outdated SK .

I believe, we have discussed this multiple times in the community over the years. On top of what was mentioned here already, https://community.checkpoint.com/t5/Security-Gateways/Disable-TLS1-0-Chekcpoint-R80-40/m-p/93023#M71...

I do not think we have an SK for this specific topic though, other than the one mentioned above. Mind, the community team is not running SecureKnowledge. If you need an official document/guidance from Check Point, please open a TAC case. 

@_Val_, i understand that the community is not running SK's but my question was if there is any describing my specific question. TAC case was already created but i also wanted to ask the community, because it felt like i was not able to find the correct SK/discussion for this specific question.... Hence this question. FYI the link you provide is regarding the Gaia portal not HTTPS inspection is this correct? Anyway... I will wait for a reply from TAC on this one.. Thanks anyway 🙂

as @Ilya_Yusupov has mentioned below, a new SK for supported versions will be available soon. We will keep you posted

I think there should be the SK and guide how to do it. I mean the official way, easy way as other vendors have it quite easy, one command or click in profile and its done.

For CP we need several threads in forum and a couple outdated SKs.

I understand your argument, and I will raise this issue with our tech documentation team. 

Hi Val,

this sk107744 and procedure here is the same https://community.checkpoint.com/t5/General-Topics/Disable-TLS-1-0/m-p/70338#M14237

Hi Ilya,

Thank you very much for your response. Good to hear that there is coming an SK to describe the correct and more important "Up to Date" information!. 

Regarding the "Meanwhile" you mention, how do we achieve this without Application Control enabled? We have for example:

SSL_INSPECT + IPS

Regards,

Jelle

Hi @Jelle_Hazenberg ,

this is a bit complicated at the moment but we are looking for solution for such cases as well.

unfortunately we don't have at the moment better solution without involving Application Control blade.

we are working on finding solutions.

Thanks,

Ilya 

So eventually i just tested this out in my lab(SMS on R81.10 and (VSX)Gateway on R80.40).... I can confirm that you have 2 options:

Option 1 - use GuiDBEdit

1. Connect with SmartDashboard to Security Management Server / Domain Management Server.

2. Go to File menu - click on Database Revision Control... - create a revision snapshot.

   Note: Database Revision Control is not supported for VSX objects (sk65420).

3. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

4. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.

5. In the upper left pane, go to Table - Other - ssl_inspection.

6. In the upper right pane, select general_confs_obj.

7. Press CTRL+F (or go to Search menu - Find) - paste ssl_min_ver - click on Find Next.

8. In the lower pane, right-click on the ssl_min_ver - select Edit... - select "TLS1.1" - click on OK:

   

    

    

9. Save the changes: go to File menu - click on Save All.

10. Close the GuiDBedit Tool.

11. Connect with SmartDashboard to Security Management Server / Domain Management Server.

12. Install the policy onto the relevant Security Gateway / Cluster object.

Eventually after testing your new settings, you will see the following logs appearing when trying to connect with TLS1.0/1.1 (Don't mind the strange SSL2.0 message...)

Option 2 - Use the cipher_util

Via this route you can implicitly rule out cipher strings which are also available for TLS1.0/1.1. As discussed above you can use(for example) the cipher list that @G_W_Albrecht provided to achieve the same goal as option 1. The only thing is with option 1 you are certain(because you explicitly configured it) these old TLS versions cannot be used anymore.