Tuesday, February 7, 2012

How to secure SSL connections and remove DigiNotar certificates from the Trusted CAs list


How to secure SSL connections and remove DigiNotar certificates from the Trusted CAs list
Solution ID:sk65277
Product:Application Control, DLP, IPS, URL Filtering, Security Gateway, Mobile Access / SSL VPN
Version:R75.20
OS:Other
Platform:All
Date Created:04-Sep-2011
Last Modified:06-Nov-2011
Did this solution solve your problem?
[Click on the stars to rate]
SOLUTION
BACKGROUND
The Dutch Certificate Authority DigiNotar suffered a breach, in which an unknown number of forged certificates were issued to unknown attackers. Some of these certificates later surfaced, where they were being used to silently intercept HTTPS traffic in Iran. DigiNotar kept the attack secret for six weeks, until an Iranian user reported the problem to Google. A good summary of the attack can be found here:http://www.computerworld.com/s/article/9219663/Hackers_may_have_stolen_over_200_SSL_certificates
Because of the scope of the breach, and the lack of disclosure by the Certificate Authority, the major browser vendors (Microsoft, Mozilla, and Google) have decided to no longer trust certificates signed by DigiNotar. As an explanation of the rationale, see this: https://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/
To address this threat Check Point released an update of trusted certificate stores for the following products:
  • Security Gateway and SmartCenter R65, R70, R71, R75
  • Connectra R66.1 and R66.1n, R75 Mobile Access Blade, R71 SSLVPN Blade
  • SSL Inspection feature of R75.20 Application Control Blade
  • SmartDashboard R65, R70, R71, R75
  • Provider-1
In addition, the Check Point IPS Blade provides the protection described in CPAI-2011-414 to address this vulnerability in other products.

RESOLUTION
Removing DigiNotar CA from trusted CA store for Security Gateway and Security Management server

Perform the following:
  1. Download the updated ca-bundle.crt
  2. Copy it to the following locations:
    • $FWDIR/bin/ca-bundle.crt
    • $WEBISDIR/conf/ca-bundle.crt
  3. Run cpstop;cpstart
     
    Removing DigiNotar CA from trusted CA store for Connectra/Mobile Access Blade/SSLVPN Blade

    Run the following commands:
    1. rm $CVPNDIR/var/ssl/ca-bundle/DigiNotar_Root_CA.pem
    2. rehash_ca_bundle

    Removing DigiNotar CA from trusted CA store for the SSL Inspection feature
    Check Point recommends updating the certificate list by removing the two DigiNotar certificates.
    1. Access the Trusted CAs list, as follows: In SmartDashboard, under the Application Control & URL Filtering Blade tab, select 'Advanced > HTTPS Inspection > Trusted CAs'.
    2. Search for the DigiNotar certificates. The search results should return: DigiNotar Root CA G2 and DigiNotar Root CA.

      TrustedCAs
    3. Select the two certificates to remove and delete them by using the "Remove" button.

    Related Solution:sk64521 - HTTPS Inspection Trusted CA list updates

    Removing DigiNotar CA from trusted CA store for SmartDashboard
    Perform the following:
    1. Download the updated ca-bundle.crt
    2. Copy it to <SDB_INSTAL_DIR>\data
      (for example C:\Program Files (x86)\Checkpoint\SmartConsole\R75.20\PROGRAM\data)

    Removing DigiNotar CA from trusted CA store for Provider-1
    Perform the following:
    1. Download the updated ca-bundle.crt file.
    2. Copy it to $MDS_TEMPLATE/bin directory.
    3. Run mdsstop;mdsstart

    No comments: