Symptoms here are, with HTTPS inspection enabled on an R77.30 gateway, I have had quite a few sites not working, ("connection terminated")
The workaround I have been using, was to put a bypass for the IP address of the site in position #1 in the policy (Putting a bypass by regex matching URl does not fix it). As the number of sites has growing, I need a proper fix. I have found all the offending sites seem to be offering TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as their first preference.
I found sk110883 which seems to relate. As I am running take 317. I believe all I need to do is the registry change to support 384 and reboot.
It looks like I have two options though:
To prefer / propose ECDHE cipher suites:
- [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_ACCEPT_ECDHE 1
- [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_PROPOSE_ECDHE 1
To prefer / propose ECDSA cipher suites:
- [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_ACCEPT_ECDSA 1
- [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_PROPOSE_ECDSA 1
I presume I would choose ECDHE and just run those two lines, is there any potential for breaking sites using ECDSA?