This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
lemm
Explorer
‎2024-11-22 03:27 AM

TLS version

Hi All,

I have disabled tls v1 and v1.1 from my firewalls , but during a recent pen test it found an issue "Insecure SSL/TLS Protocols - LOW - External".

I have used show ssl tls enabled command and can see only tls v1.2 is enabled.

Can you help with some other commands to check further or what could cause this issue to pop up during pen test ?

0 Kudos
6 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2024-11-22 04:12 AM

You disabled via CLI?  Maybe also check sk154532 depending on the port / service reported by the scan.

CCSM R77/R80/ELITE
0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2024-11-22 04:59 AM

Hello,

To check SSL V2
openssl s_client -connect secureurl.com:443 -ssl2
To Check SSL V3
openssl s_client -connect secureurl.com:443 –ssl3
To Check TLS 1.0
openssl s_client -connect secureurl.com:443 –tls1
To Check TLS 1.1
openssl s_client -connect secureurl.com:443 –tls1_1
To Check TLS 1.2
openssl s_client -connect secureurl.com:443 –tls1_2
 
Check that IP which was marked as vulnerable in the report.
 
Akos
----------------
\m/_(>_<)_\m/
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-11-22 05:02 AM

Can you see what you have here in global properties in smart console?

Andy

 

 

Screenshot_1.png

Best,
Andy
CaseyB
Advisor
‎2024-11-22 06:24 AM

You might need to disable some ciphers even though TLS 1.2 is the only thing enabled; we had something similar happen with our pen test.

sk126613 - Cipher configuration tool 'cipher_util' for Security Gateways

We "passed" using this configuration:

R8110_ciphers.png

AkosBakos
MVP Silver
MVP Silver
‎2024-11-22 06:28 AM
In response to CaseyB

And you can test it, one-by-one too 🙂

openssl s_client -cipher 'ECDHE-ECDSA-AES256-SHA' -connect secureurl:443

 

----------------
\m/_(>_<)_\m/
(1)
the_rock
MVP Platinum
MVP Platinum
‎2024-11-22 06:30 AM
In response to AkosBakos

Just tried with google.com, super useful command!

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events