Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nolankam
Explorer

R80.10 disable additional weak ciphers

Hi

 

I have used the following two SKs to disable a number of ciphers and limited to TLS1.2

SK126613: Change the ciphersuite using cipher utility

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

SK147272: Change the cipher suite settings in httpd-ssl.conf.templ

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

They were successful, up to a certain point. That point is the remove of further "weak" ciphers (TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA), which my security team identified as static cipher suites. 

I've tried to reapply these SKs but when I run nmap, the three ciphers still return.

 

For SK147272, we had replaced the existing ciphersuite as proposed by the SK “SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1” to

 

“ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK”

 

But nothing helped. Anyone has any clue? I have raised this to TAC but no updates yet.

0 Kudos
Reply
8 Replies
PhoneBoy
Admin
Admin

Presumably, you followed all the steps in the SK (including the part where you restart httpd)?
Can you PM me the relevant SR number?

0 Kudos
Reply
nolankam
Explorer

Hi, I don't have the SR number as it was handled by a third party. But yeah, have restarted the httpd, and pushed the policy, and even did a cpstop;cpstart for good measure. 

0 Kudos
Reply
PhoneBoy
Admin
Admin

Your partner should be able to provide the Check Point SR number on request.

0 Kudos
Reply
nolankam
Explorer

Here is the SR number: 6-0002439886

0 Kudos
Reply
PhoneBoy
Admin
Admin

In vpn_cipher_priority.conf, you should probably only have the following two ciphers in the allowed section (at least according to the latest case notes):

:ECDHE-RSA-AES128-GCM-SHA256
:ECDHE-ECDSA-AES128-GCM-SHA256

FYI, in R80.40, we upgraded some of the crypto infrastructure and it might be worth upgrading to leverage more current crypto ciphers.
From R80.30, we have a CLI too (cipher_util) to make it easier to enable/disable ciphers.
R80.10 is nearing End of Support and suggest planning to upgrade. 

0 Kudos
Reply
nolankam
Explorer

Thanks, mate! Let me test it out and report the results here. Yes, upgrading to R80.40 is in the pipeline due to the EOS. 

Edit: No joy. But the similar results are making me guessing that the registry update or install policy is not working?  I tried the debug options under the Troubleshooting section but I was not able to see any logs pertaining to vpnd.elg / cptls_params_reorder_ciphers

Edit (2): do note, the following setting will cause the Checkpoint VPN to be unable to connect.

results.png

0 Kudos
Reply
nolankam
Explorer

Changing the vpn_cipher_priority.conf does not seem to help; in any case, this affects the Endpoint VPN client connection, rather than standard HTTPS/443, which was what nmap was looking at.

The VPN client will be unable to connect if I remove these: TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA. Luckily, one of our guys were still connected and was able to undo the changes. 

TAC's advise is after the two SKs, there is nothing else they can do, and upgrade seems to be my only option. 

 

0 Kudos
Reply
PhoneBoy
Admin
Admin

Agree that upgrading is probably a good idea here, especially given R80.10 is nearing its End of Support date.

0 Kudos
Reply