This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
lemm
Explorer
‎2024-11-22 03:27 AM

TLS version

Hi All,

I have disabled tls v1 and v1.1 from my firewalls , but during a recent pen test it found an issue "Insecure SSL/TLS Protocols - LOW - External".

I have used show ssl tls enabled command and can see only tls v1.2 is enabled.

Can you help with some other commands to check further or what could cause this issue to pop up during pen test ?

0 Kudos
6 Replies
Chris_Atkinson
Employee Employee
Employee
‎2024-11-22 04:12 AM

You disabled via CLI?  Maybe also check sk154532 depending on the port / service reported by the scan.

CCSM R77/R80/ELITE
0 Kudos
AkosBakos
Mentor Mentor
Mentor
‎2024-11-22 04:59 AM

Hello,

To check SSL V2
openssl s_client -connect secureurl.com:443 -ssl2
To Check SSL V3
openssl s_client -connect secureurl.com:443 –ssl3
To Check TLS 1.0
openssl s_client -connect secureurl.com:443 –tls1
To Check TLS 1.1
openssl s_client -connect secureurl.com:443 –tls1_1
To Check TLS 1.2
openssl s_client -connect secureurl.com:443 –tls1_2
 
Check that IP which was marked as vulnerable in the report.
 
Akos
----------------
\m/_(>_<)_\m/
0 Kudos
the_rock
Legend
Legend
‎2024-11-22 05:02 AM

Can you see what you have here in global properties in smart console?

Andy

 

 

Screenshot_1.png

CaseyB
Advisor
‎2024-11-22 06:24 AM

You might need to disable some ciphers even though TLS 1.2 is the only thing enabled; we had something similar happen with our pen test.

sk126613 - Cipher configuration tool 'cipher_util' for Security Gateways

We "passed" using this configuration:

R8110_ciphers.png

AkosBakos
Mentor Mentor
Mentor
‎2024-11-22 06:28 AM
In response to CaseyB

And you can test it, one-by-one too 🙂

openssl s_client -cipher 'ECDHE-ECDSA-AES256-SHA' -connect secureurl:443

 

----------------
\m/_(>_<)_\m/
the_rock
Legend
Legend
‎2024-11-22 06:30 AM
In response to AkosBakos

Just tried with google.com, super useful command!

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top