- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hello Community,
one of our clients was upgraded from Windows 7 to Windows 10 Build 1803. After that he couldn´t start R80.10 SmartDashboard anymore with the following error displayed:
Could not establish secure channel for SSL/TLS with authority << MGMT-IP >>:19009"
After a short search we found an related skArticle: sk121353
Here we found the cause:
The user has disabled TLS lower than TLS1.2 on the system where the SmartConsole is installed.
And the solution:
Currently, TLS ciphers lower than TLS1.2 are needed to connect from Smart Console to a MDS or Security Management.
Therefore, Check Point has not yet implemented TLS v1.2 for the really critical connection between Management-Client and Management-Server!
TLS v1.2 was officially announced 2008 - 10 Years now. TLS v1.0 and TLS v1.1 are unsafe and almost deprecated:
Deprecating TLS 1.0 & 1.1 | DigiCert Blog
Why hasn´t Check Point implemented TLS v1.2 for this critical connection? When will it be implemented (we are talking about R80.10 here)? And when will TLS v1.3 be implemented then, which should be officially announced in 2018?
I hope someone can give me a statement about this, as this problem will arise at customers who will change to newest Windows 10. I can´t give them a explanation why Check Point still hasn´t implemented TLS v1.2 for this critical connection.
Thanks and best regards,
Thomas
Thanks for bringing this up! This issue has been brought up in several security podcasts as well. Unfortunately CP is behind the competition here and this could be a deal breaker when new customers are selecting their security platform. I too am looking forward to an answer.
Would be nice to know if it applies to r80.20 too
PhoneBoy
For the general case: TLS1.2 Support Plan for Check Point Products
For this specific case, it seems that we addressed this in an R80.10 Jumbo Hotfix (Take 103 and above) and SmartConsole R80.10 build 042 and above.
@Dameon - Thanks for answering, but I can´t see this information for R80.10 in sk107166. There I can see:
SmartConsole -> Contact Check Point Support to get an improved SmartConsole R77.30 that connects to
Management Server with Take 266 of R77.30 Jumbo Hotfix.
But nothing about R80.10, or where do I need to have a look?
Other question would be, if it was solved in R77.30 (Take 266), why is R80.10 still using pretty old TLSv1.0?
PhoneBoy
There are two issues here:
In reality, this is a non-issue for a couple of reasons:
Hope that helps.
Yes, that really helped - especially the certificate pinning is the game changer here.
Thanks for your answers and informations.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY