Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Thomas_Bennek
Participant

TLS v1.2 not implemented?

Hello Community,

one of our clients was upgraded from Windows 7 to Windows 10 Build 1803. After that he couldn´t start R80.10 SmartDashboard anymore with the following error displayed:

Could not establish secure channel for SSL/TLS with authority << MGMT-IP >>:19009"

After a short search we found an related skArticle: sk121353

Here we found the cause:

The user has disabled TLS lower than TLS1.2 on the system where the SmartConsole is installed.

And the solution:

Currently, TLS ciphers lower than TLS1.2 are needed to connect from Smart Console to a MDS or Security Management.

Therefore, Check Point has not yet implemented TLS v1.2 for the really critical connection between Management-Client and Management-Server! 

TLS v1.2 was officially announced 2008 - 10 Years now. TLS v1.0 and TLS v1.1 are unsafe and almost deprecated:

Deprecating TLS 1.0 & 1.1 | DigiCert Blog 

Why hasn´t Check Point implemented TLS v1.2 for this critical connection? When will it be implemented (we are talking about R80.10 here)? And when will TLS v1.3 be implemented then, which should be officially announced in 2018?

I hope someone can give me a statement about this, as this problem will arise at customers who will change to newest Windows 10. I can´t give them a explanation why Check Point still hasn´t implemented TLS v1.2 for this critical connection.

Thanks and best regards,

Thomas

6 Replies
Ilmo_Anttonen
Collaborator

Thanks for bringing this up! This issue has been brought up in several security podcasts as well. Unfortunately CP is behind the competition here and this could be a deal breaker when new customers are selecting their security platform. I too am looking forward to an answer.

Marco_Valenti
Advisor

Would be nice to know if it applies to r80.20 too

0 Kudos
PhoneBoy
Admin
Admin

For the general case: TLS1.2 Support Plan for Check Point Products 

For this specific case, it seems that we addressed this in an R80.10 Jumbo Hotfix (Take 103 and above) and SmartConsole R80.10 build 042 and above.

Thomas_Bennek
Participant

@Dameon - Thanks for answering, but I can´t see this information for R80.10 in sk107166. There I can see:

SmartConsole -> Contact Check Point Support to get an improved SmartConsole R77.30 that connects to
Management Server with Take 266 of R77.30 Jumbo Hotfix.

But nothing about R80.10, or where do I need to have a look?

Other question would be, if it was solved in R77.30 (Take 266), why is R80.10 still using pretty old TLSv1.0?

PhoneBoy
Admin
Admin

There are two issues here:

  • The fact that SmartConsole doesn't work when TLS<1.2 is disabled--that's fixed as I described and you can find references in the relevant Jumbo Hotfix SK (related bug PMTR-2666).
  • The fact Port 19009 appears to be using TLS 1.0, which I'm assuming is the real issue you're raising.

In reality, this is a non-issue for a couple of reasons:

  • Port 19009 is not a general purpose web server used by a general purpose web client--it is specific to Check Point and SmartConsole R80.x.
  • Once the initial connection is made to this port and the admin approves the certificate hash, SmartConsole "pins" the relevant certificate and will only accept that certificate.
  • Certificate-based authentication (with pinning) definitely mitigates many potential issues with TLS. 
  • We've definitely audited source code for the relevant vulnerabilities, as documented here: Status of OpenSSL CVEs 

Hope that helps.

Thomas_Bennek
Participant

Yes, that really helped - especially the certificate pinning is the game changer here.

Thanks for your answers and informations.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events