 | ||
 SSL 3.0 on Splat | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2007-12-26 | |||
| |||
 SSL 3.0 on Splat Web Service (https) running on the SecurePlatform Management Server, Gateways modules and Eventia Servers encrypts traffic using SSL 2.0, can it use SSL 3.0 or TLS 1.0 instead ? Vijay  |
| 2007-12-26 | |||
| |||
| Re: SSL 3.0 on Splat No it doesn't. It initially opens the page with V2 so a non-TLS browser can be notified that it needs to upgrade, then it will switch to TLS. This is something I received from RnD a while ago, and posted here before: -------- "The question here is not of support for SSLv3. We support SSLv3 as well as the more advanced TLS. The problem here is that we also support SSLv2, which is less secure. A web browser can connect to a SPLAT gateway using any of these protocol versions. In additions to these three protocol versions, there is also a transition version, where the client sends the first message of SSLv2 (called "Client Hello") with an attribute that says that it actually supports SSLv3 or TLS. In that case, the server may either reply using SSLv3 (or TLS) or stay with SSLv2 depending on its configuration. The HTTPS server that was scanned supports all 4 modes. We have considered totally removing support for SSLv2, and supporting only SSLv3 and TLS. However, this is a bad idea, because Internet Explorer by default uses the transition (SSLv2 client hello with support for SSLv3, but no TLS). Since we can't disable SSLv2, we've done the next best thing. We let the SSL protocol run, and close the connection if it did not end up as SSLv3 or TLS. This has the effect of preventing the insecure SSLv2, while still allowing Internet Explorer to run. Windows Vista and probably some future Windows XP service pack will have SSLv2 disabled. When this becomes common enough, we may be able to totally disable SSLv2. To sum things up: - R55 allows SSLv2 - NGX only allows SSLv2 for the transition. One further note: Even in NGX all the SSLv2 negotiation can pass before the connection is broken. This has no security implication, but may trick Nessus into reporting that SSLv2 is supported. To demonstrate that this is not so, you can configure Internet Explorer to support only SSLv2 (uncheck "Use SSL 3.0" under Tools->Internet Options...->Advanced->Security) and try to connect to the gateway. |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
