After installing macOS 10.15 (Catalina), users may be unable to access sites via HTTPS inspection gateway
||R80.10, R80.20, R80.30
- After installing macOS 10.15 (Catalina), users are unable to access sites via HTTPS inspection gateway.
The error in Safari is:
Safari Can't Open the Page
Safari can't open the page "https://example.com" because Safari can't establish a secure connection to the server "example.com".
Environment: SSL inspection CA certificate signing algorithm is SHA1
All TLS server certificates must comply with these new security requirements in iOS 13 and macOS 10.15:
- TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.TLS server certificates and issuing CAs using RSA keys.
- CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
This problem was fixed. The fix is included in:
Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway / upgrade Security Management Server / upgrade Multi-Domain Security Management).
If you do not wish to upgrade, review the HTTPS inspection CA certificate, open the HTTPS inspection tab in Gateway Properties and chose to "View certificate".
If the Signature hash algorithm is SHA-1 (as in the example above), follow the procedure in sk115894 - How to change HTTPS Inspection certificate from SHA-1 to SHA-256.