This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nolankam
Explorer
‎2020-12-01 07:09 PM

R80.10 disable additional weak ciphers

Hi

 

I have used the following two SKs to disable a number of ciphers and limited to TLS1.2

SK126613: Change the ciphersuite using cipher utility

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

SK147272: Change the cipher suite settings in httpd-ssl.conf.templ

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

They were successful, up to a certain point. That point is the remove of further "weak" ciphers (TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA), which my security team identified as static cipher suites. 

I've tried to reapply these SKs but when I run nmap, the three ciphers still return.

 

For SK147272, we had replaced the existing ciphersuite as proposed by the SK “SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1” to

 

“ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK”

 

But nothing helped. Anyone has any clue? I have raised this to TAC but no updates yet.

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2020-12-01 09:39 PM

Presumably, you followed all the steps in the SK (including the part where you restart httpd)?
Can you PM me the relevant SR number?

0 Kudos
nolankam
Explorer
‎2020-12-01 11:00 PM
In response to PhoneBoy

Hi, I don't have the SR number as it was handled by a third party. But yeah, have restarted the httpd, and pushed the policy, and even did a cpstop;cpstart for good measure. 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-12-01 11:01 PM
In response to nolankam

Your partner should be able to provide the Check Point SR number on request.

0 Kudos
nolankam
Explorer
‎2020-12-02 11:14 PM
In response to PhoneBoy

Here is the SR number: 6-0002439886

0 Kudos
PhoneBoy
Admin
Admin
‎2020-12-03 03:19 PM
In response to nolankam

In vpn_cipher_priority.conf, you should probably only have the following two ciphers in the allowed section (at least according to the latest case notes):

:ECDHE-RSA-AES128-GCM-SHA256
:ECDHE-ECDSA-AES128-GCM-SHA256

FYI, in R80.40, we upgraded some of the crypto infrastructure and it might be worth upgrading to leverage more current crypto ciphers.
From R80.30, we have a CLI too (cipher_util) to make it easier to enable/disable ciphers.
R80.10 is nearing End of Support and suggest planning to upgrade. 

0 Kudos
nolankam
Explorer
‎2020-12-03 04:52 PM
In response to PhoneBoy

Thanks, mate! Let me test it out and report the results here. Yes, upgrading to R80.40 is in the pipeline due to the EOS. 

Edit: No joy. But the similar results are making me guessing that the registry update or install policy is not working?  I tried the debug options under the Troubleshooting section but I was not able to see any logs pertaining to vpnd.elg / cptls_params_reorder_ciphers

Edit (2): do note, the following setting will cause the Checkpoint VPN to be unable to connect.

results.png

0 Kudos
nolankam
Explorer
‎2020-12-08 01:06 AM
In response to PhoneBoy

Changing the vpn_cipher_priority.conf does not seem to help; in any case, this affects the Endpoint VPN client connection, rather than standard HTTPS/443, which was what nmap was looking at.

The VPN client will be unable to connect if I remove these: TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA. Luckily, one of our guys were still connected and was able to undo the changes. 

TAC's advise is after the two SKs, there is nothing else they can do, and upgrade seems to be my only option. 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-12-08 09:15 AM
In response to nolankam

Agree that upgrading is probably a good idea here, especially given R80.10 is nearing its End of Support date.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events