This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Danny
Champion Champion
Champion
‎2024-01-15 07:24 AM

Disable weak ciphers on remote access clients?

We hardened a customers' security gatway via cipher_util (sk126613) and disabled all weak ciphers to reach PCI DSS compliance. Then remote access clients (MacOS using visitor mode) failed to connect, so we opened a SR.

Check Point support advised to enable these three ciphers according to sk108426.

  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA

and noted:

It is best to keep the 3 ciphers on to avoid any issues regarding remote access/mobile access connectivity
Currently there is no ETA to whether the client will be on the same cipher suite as the GW itself.

Of course that doesn't satisfy our customer as it conflicts with PCI DSS requirements for strong ciphers, such as SHA-2.
Is there any other solution or workaround available?

(1)
Who rated this post