Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Home >   Check Point Forums >   Software Blades and Gateways >   Application Control and URL Filtering

Thread: HTTPS Inspection - Handshake Failure - Cipher..?

Welcome, Guest Help
Login Login
Guest Settings Guest Settings
This question is not answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 3 - Pages: 1 - Last Post: May 10, 2017 9:54 AM by: amir kagan Threads: [ Previous | Next ]
Stephen Henihan

Posts: 1
Registered: 12/16/15
HTTPS Inspection - Handshake Failure - Cipher..?
Posted: Apr 12, 2017 7:56 PM
 
  Click to reply to this thread Reply

Specific example is SurveyMonkey.com. Connections fails unless we bypass TLS inspection.
Using OpenSSL I can see that connection to some of these sites employs ECDHE-RSA-AES256-SHA. SSL Labs shows many references to secp384r1 and the site prides itself on its new A rating.
When I inspect sites, the MITM TLS connection between the client and the Checkpoint appliance seems to step back down to AES 128bit. Some sites accept this (https://www.aib.ie) but it appears that others do not.
I was going to look into how to update or configure Checkpoint NGX 4400 to step up to AES256 and higher Ciphers when I found articles saying that this was supported in the latest Jumbo updates.
However, https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk106162 indicates there is a version 221 out since early March. Using the Gaia web interface, the Updates CPUSE section only offered me Take 216 - no 221.
Is there a reason for this - am I not recommended to update to 221?
I want to ensure that inspection can continue on sites such as these so where can I find the 221 version to install it and enable support for these bigger Cipher - or even just a simple fix to rectify this one issue?

Currently installed hotfixes:
Check Point CPinfo build 176 for R77, R77.10, R77.20, R77.30
Jumbo Hotfix Accumulator General Availability for R77.30 Take 216
HOTFIX_GAIA_GEYSER_HF_BASE_013
HOTFIX_R77_30

Added current hotfix info.


Message was edited by: Stephen Henihan

amir kagan

Posts: 4
Registered: 2/12/08
Re: HTTPS Inspection - Handshake Failure - Cipher..?
Posted: May 8, 2017 10:58 AM   in response to: Stephen Henihan
 
  Click to reply to this thread Reply

Hi ,
I have the same problem with this SurveyMonkey.com site and also https://www.crunchbase.com/ for example ..
I upgraded to Jumbo 216 ( R77.30) and I get the same error This page canít be displayed

Is anyone have a solution for this problem ?

John Borden

Posts: 1
Registered: 12/14/09
Re: HTTPS Inspection - Handshake Failure - Cipher..?
Posted: May 9, 2017 5:49 PM   in response to: amir kagan
 
  Click to reply to this thread Reply

any update on this? Same issue with surveymonkey.com

amir kagan

Posts: 4
Registered: 2/12/08
Re: HTTPS Inspection - Handshake Failure - Cipher..?
Posted: May 10, 2017 9:54 AM   in response to: John Borden
 
  Click to reply to this thread Reply

Not now ,
Bypass to www.surveymonkey.com , or by ip address is not working also .
Bypass https inspection to any solve the issue but this is not good solution !!!

Any update ?

Legend
Expert: 751 + pts
Advanced: 301 - 750 pts
Enthusiast: 101 - 300 pts
Novice: 0 - 100 pts
Check Point
Helpful Answer (5 pts)
Correct Answer (10 pts)