AnsweredAssumed Answered

HTTPS inspection ECDHE

Question asked by Ryan Ryan on Oct 4, 2018
Latest reply on Oct 10, 2018 by Ryan Ryan

Hi guys,

 

Symptoms here are, with HTTPS inspection enabled on an R77.30 gateway, I have had quite a few sites not working, ("connection terminated") 

 

The workaround I have been using, was to put a bypass for the IP address of the site in position #1 in the policy (Putting a bypass by regex matching URl does not fix it). As the number of sites has growing, I need a proper fix. I have found all the offending sites seem to be offering TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as their first preference. 

 

I found sk110883 which seems to relate. As I am running take 317. I believe all I need to do is the registry change to support 384 and reboot. 

 

It looks like I have two options though:

 

  • To prefer / propose ECDHE cipher suites:

    1. [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_ACCEPT_ECDHE 1
    2. [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_PROPOSE_ECDHE 1
  • To prefer / propose ECDSA cipher suites:

    1. [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_ACCEPT_ECDSA 1
    2. [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_PROPOSE_ECDSA 1

 

 

I presume I would choose ECDHE and just run those two lines, is there any potential for breaking sites using ECDSA?

 

thanks

Outcomes