This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ryan_Ryan
Advisor
‎2018-10-04 07:11 PM

HTTPS inspection ECDHE

Hi guys,

Symptoms here are, with HTTPS inspection enabled on an R77.30 gateway, I have had quite a few sites not working, ("connection terminated") 

The workaround I have been using, was to put a bypass for the IP address of the site in position #1 in the policy (Putting a bypass by regex matching URl does not fix it). As the number of sites has growing, I need a proper fix. I have found all the offending sites seem to be offering TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as their first preference. 

I found sk110883 which seems to relate. As I am running take 317. I believe all I need to do is the registry change to support 384 and reboot. 

 

It looks like I have two options though:

  • To prefer / propose ECDHE cipher suites:

    1. [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_ACCEPT_ECDHE 1
    2. [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_PROPOSE_ECDHE 1

  • To prefer / propose ECDSA cipher suites:

    1. [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_ACCEPT_ECDSA 1
    2. [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_PROPOSE_ECDSA 1

I presume I would choose ECDHE and just run those two lines, is there any potential for breaking sites using ECDSA?

thanks

0 Kudos
2 Replies
Ofir_Shikolski
Employee
Employee
‎2018-10-04 08:32 PM

Qualys SSL Labs - SSL Pulse ?

Ryan_Ryan
Advisor
‎2018-10-10 10:13 PM

So after making the change I had some improvements, some websites that were previously broken started working without needing an https bypass.

However I found some sites still don't load unless specially bypassed by IP address.

When I look at the first cipher offered by the website, it reports:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

When I look at this page of supported ciphers:

Supported cipher suites for HTTPS Inspection 

we can see that its specifically not supported. So my question is, what exactly can we do about it? I'm going to end up with 100's of websites in my bypass rule, and as we have to do it via IP, anytime a site changes IP or one that uses CDN its going to break again.

It makes sense that the bypass doesn't work by url regex (it can't see the url yet because it doesn't understand how to negotiate a secure connection).

Are there plans to add support for these ciphers, or some way to configure the checkpoint to try and down negotiate to a supported cipher?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events