Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ryan_Ryan
Advisor
Jump to solution

Disable SSLv3 on CPCA

Hi I am following:

https://dl3.checkpoint.com/paid/7a/7ab66b38bbe0505e3933c89fe00b020d/CP_CloudServices_AdminGuide_2.5....

to setup LTA between our cloud and the onprem log server. I am stuck at the point of pulling the cert from the manager to the log server. Running the script does it for you, also the document details how to do it manually, however both fail with the same error:

Opsec error. rc=-1 err=-100 General error in Certificate Authority

(command: opsec_pull_cert )

I did a tcpdump on the traffic, what I am seeing is the log server trying to establish an SSLv3 connection to the manager on port 18210, and the session tanks out with a handshake failed. I suspect the manager is refusing to communicate on sslv3, is there anyway I can turn off sslv3 on the log server? I have it already disabled on the webserver, I am not sure where this setting would be, or alternatively can I enable it temporarily on the manager to get the cert pushed?

 

0 Kudos
1 Solution

Accepted Solutions
Ryan_Ryan
Advisor

Ok I have a solution/workaround, but its an issue CP will need to fix.

 

the LTA.tgz file on the cloud portal contains an outdated version of "opsec_pull_cert" and "opsec_pull_cert.exe", this version only seems to support sslv3. The way to resolve it is on your log server run this:

find /  -name opsec_pull_cert

and find the version bundled with log exporter (on my R80.40 it was in /opt/CPrt-R80.40/log_indexer/opsec_pull_cert)

Copy that binary file, and overwrite it in the LTA extracted folder, now when you run ./LTA run the fetch certificate process will work and use tls1.x because its using the newer opsec_pull_cert binary

 

View solution in original post

0 Kudos
1 Reply
Ryan_Ryan
Advisor

Ok I have a solution/workaround, but its an issue CP will need to fix.

 

the LTA.tgz file on the cloud portal contains an outdated version of "opsec_pull_cert" and "opsec_pull_cert.exe", this version only seems to support sslv3. The way to resolve it is on your log server run this:

find /  -name opsec_pull_cert

and find the version bundled with log exporter (on my R80.40 it was in /opt/CPrt-R80.40/log_indexer/opsec_pull_cert)

Copy that binary file, and overwrite it in the LTA extracted folder, now when you run ./LTA run the fetch certificate process will work and use tls1.x because its using the newer opsec_pull_cert binary

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events