Disable SSLv3 and TLSv1.0 -- Poodle vulnerability

Disable SSLv3 and TLSv1.0 -- Poodle vulnerability
0

Hi All,

I am looking to disable sslv3 and TLSv1.0 on the checkpoint gateways running R77.30 Take-185. Have been working with checkpoint support to disable sslv3 and tlsv1.0 and just enable Tlsv1.1 and Tlsv1.2 for the GAIA portal but havent got anywhere. Tried couple of procedure from checkpoint usercenter (sk102989 and to disable the protocols in the Potal properties in Global properties). Its been a decade Tlsv1.1 is out in the market was wondering how can checkpoint not have an option to disable these week protocols even on their latest OS version?


I would appreciate any suggestions if anyone ran into similar issue.

you must have run into this too?

have you run into this?

Hi Vijay,

The R77.30 take you are running has an older openssl library, which didn't support TLSv1.2 yet. You need take 266. Please see sk107166. This is a very recent release.

The steps to disable SSLV3 on GAIA portal do not work? (sk102989) I am suprised that the steps in the SK do not disable SSLV3.


This may not pertain to your situation but you could whitelist access to the GAIA portal only allowing a jump server to talk to it, then patch your jump server.


The SK also suggestion of Enabling the IPS protection "Secure Socket Layer (SSL) v3.0" seems to be another fix.


Have you implemented both and they do not work? What is the exact reason they do not work? Do you have partial working and other not?



I would recommend the latest jumbo hotfix take, as they just recently added TLS 1.2 support with it. (take 266)


I could get this fixed only by going to the latest hotfix take-286 and then manually diabling SSLv3 and TLSv1 and TLSv1.1 in /web/templates/httpd-ssl.conf.templ (sk120846).

What I observered was even though my gateway was on R77.30 take-254, the scanner still flagged me for SSLv3, where as checkpoint support says that SSLv3 is by default disabled on R77.30 and above which is not true.