This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
John_Fleming
Advisor
‎2020-08-21 11:56 PM
Jump to solution

Legacy Client auth SSL/TLS version

I'm trying to track down how to get legacy client authentication to disable SSLv2/v3 TLS1.0 and TLS1.1. I found

 

sk102989 - Check Point response to the POODLE Bites vulnerability (CVE-2014-3566)

and

sk100584 - Cipher strength for Client Authentication feature is under 128-bit and there is no way to control which SSL version to use

 

both basically say to set ASSL_NO_SSLV2=1 and ASSL_NO_SSLV3=1 (how they say to set them is a little different but end result looks the same).

However sk100584 also says how to disable TLS1.0 (but not TLS 1.1 ?) but also says you can't disable all three.

 

I'm a little confused what is the proper way to disable the insecure protocols here. My goal would be to only support TLS1.2 for client auth. Yes, I know captive portal would be better but we're not in a place where we can move everything yet.

0 Kudos
1 Solution

Accepted Solutions
Nachum_Moshe
Employee
Employee
‎2020-08-24 04:32 AM
In response to Royi_Priov
Jump to solution

Client authentication supports only TLS and SSLv3.  SSLv2 is not supported.
We have 2 relevant flags within this legacy feature: TLS and SSLv3.
TLS is enabled by default. To disable it, need to configure ASSL_NO_TLS=1. There is no option to distinguish between TLS versions.
As for SSLv3, 
from R80.40, SSLv3 is disabled by default. To enable it, need to configure ASSL_NO_SSLV3=0.
before R80.40, on Jumbos, SSLv3 is enabled by default. To disable it, need to configure ASSL_NO_SSLV3=1.
Nachum
GM, Web Security Framework.

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2020-08-22 08:40 AM
Jump to solution

As you probably know, Client Auth is a legacy feature.
Not sure if fixing Client Auth falls under @Royi_Priov ’s team or not.
That said, understanding the precise use case for Client Auth may be useful so we can make Identity Awareness support it.

0 Kudos
Royi_Priov
Employee
Employee
‎2020-08-23 11:04 PM
In response to PhoneBoy
Jump to solution

@Nachum_Moshe can you please assist?

Thanks,
Royi Priov
R&D Group manager, Infinity Identity
0 Kudos
Nachum_Moshe
Employee
Employee
‎2020-08-24 04:32 AM
In response to Royi_Priov
Jump to solution

Client authentication supports only TLS and SSLv3.  SSLv2 is not supported.
We have 2 relevant flags within this legacy feature: TLS and SSLv3.
TLS is enabled by default. To disable it, need to configure ASSL_NO_TLS=1. There is no option to distinguish between TLS versions.
As for SSLv3, 
from R80.40, SSLv3 is disabled by default. To enable it, need to configure ASSL_NO_SSLV3=0.
before R80.40, on Jumbos, SSLv3 is enabled by default. To disable it, need to configure ASSL_NO_SSLV3=1.
Nachum
GM, Web Security Framework.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events