This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gregory_Link
Contributor
‎2018-07-27 07:39 AM
Jump to solution

SSL Inspection Broken - Wikipedia

All,

It seems we've always had issues off and on with Checkpoints SSL Inspection and are routinely needing to bypass sites/IPs on a regular basis, so thought I would reach out to see if this is the norm or if I'm missing something.  How are other people handling this?

A great example came up today with Wikipedia (see below). 

We are running RR77.30 - Build 092   

   HOTFIX_R77_30
   HOTFIX_GEYSER_PINK6_HF
   HOTFIX_R77_30_HF5_PINK_PERF_003
   HOTFIX_GEYSER_HF_BASE_861
   HOTFIX_R77_30_JUMBO_HF    Take: 286
  HOTFIX_R77_30_JHF_T280_240

Your Browser's Connection Security is Outdated

English: Wikipedia is making the site more secure. You are using an old web browser that will not be able to connect to Wikipedia in the future. Please update your device or contact your IT administrator.

We are removing support for non forward secret ciphers, specifically AES128-SHA, which your browser software relies on to connect to our sites. This is usually caused by using some ancient browsers or user agents like old Nokia smartphones or Sony Playstation3 gaming consoles. Also it could be interference from corporate or personal "Web Security" software which actually downgrades connection security.

You must upgrade your browser or otherwise fix this issue to access our sites. This message will remain until Aug 1, 2018. After that date, your browser will not be able to establish a connection to our servers at all.

Preview file
55 KB
1 Solution

Accepted Solutions
Henrique_Sauer_
Contributor
‎2018-07-27 10:02 AM
Jump to solution

Hello Gregory,

Have a look at this sk:

This can be helpfull too:

Are this parameters enabled in you gateway?

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDHE 1
ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_EC_P384 1
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_RI_AS_CLIENT_EXT 1
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDSA 1

You should check running this command:

cat $CPDIR/registry/HKLM_registry.data | grep -i cptls

Regars

View solution in original post

0 Kudos
4 Replies
Henrique_Sauer_
Contributor
‎2018-07-27 10:02 AM
Jump to solution

Hello Gregory,

Have a look at this sk:

This can be helpfull too:

Are this parameters enabled in you gateway?

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDHE 1
ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_EC_P384 1
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_RI_AS_CLIENT_EXT 1
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDSA 1

You should check running this command:

cat $CPDIR/registry/HKLM_registry.data | grep -i cptls

Regars

0 Kudos
Gregory_Link
Contributor
‎2018-07-27 11:54 AM
In response to Henrique_Sauer_
Jump to solution

Hi Henrique,

The command you provided returned 0 results on both of our firewalls.  Does that then mean these parameters need to be added?  If so, will this have any adverse impact?

Thanks,

Greg Link

0 Kudos
Henrique_Sauer_
Contributor
‎2018-07-27 02:59 PM
In response to Gregory_Link
Jump to solution

No, it wont have any impact:


Try to add them and check again:


To add

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDHE 1

ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_EC_P384 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_RI_AS_CLIENT_EXT 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDSA 1


On both gateways.


cpstop;costart required


To delete if you want:


ckp_regedit -d SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDHE

ckp_regedit -d SOFTWARE//CheckPoint//FW1 CPTLS_EC_P384

ckp_regedit -d SOFTWARE\\CheckPoint\\FW1 CPTLS_RI_AS_CLIENT_EXT

ckp_regedit -d SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDSA



Regards dear and hope it helps

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-27 10:07 AM
Jump to solution

Based on the number of threads we see on CheckMates related to this topic, you're not alone.

There are some HTTPS Inspection improvements in later versions of the Jumbo Hotfix that you may wish to investigate.

We are also working on improvements in later releases.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events