Jul 082016

Yesterday I worked in the home office. When connecting via Check Point VPN client to our company network I was presented a message that the certificate for the site changed. I clicked okay in the firm believe that I could easily verify this after the connection was established. (The reason was: I had to connect to the internal company network to get the sites fingerprint.) I really could verify the fingerprint – but “easily” was the problem.

First I recognized that there seems to be no possibility to find this fingerprint within the GUI of Endpoint Connect (E80.60 for Mac). So I had a look for the configuration in the file system. You will not find it under ~/Library/Application Support as expected, but under /Library/Application Support/Checkpoint/Endpoint Connect/registry in the file HKLM_registry.data. Name and structure of the file suggest that under Windows the content can be found within the registry. I did not verify that.

This is what the file looks like:

This line starts the header
! This line ends the header
("CheckPoint Repository Set"
        : (Software
                : (CheckPoint
               : (accepted_cn

                                : (site.name.com
                                        :--Fingerprint-- ("WRD1 WRD2 WRD3 WRD4 WRD5 WR WRD7 WRD8 WRD9 WRDA WRDB WRDC")

The fingerprint is a typical one for Check point consisting of different 4- and 2-letter-words. This is nothing that you can compare directly to the SSL certificates fingerprint. But you can find this in SmartDashboard in the gateway properties under Mobile Access –> Portal Settings.

In my case both fingerprints are identical. So I did not ran into a man-in-the-middle (MITM) attack.

Lessons Learned:
Have an external web page where your VPN users can see the actual fingerprints. Update this page whenever you change certificates. How else should you educate and convince your users to crosscheck certificate warnings whenever they run into it?

What Check Point should do:
There has to be a possibility to lookup the fingerprints for all VPN sites actual configured within the client GUI. In my opinion it is not to sufficient to show a warning only when connecting for the first time to a changed certificate. There is a need to check the correct fingerprint every time you want or need to do it.

  One Response to “Client VPN Certificate Check”

  1. Thanks much for sharing. I had the exact same need to check the existing fingerprint (though mine is in windows) and this article helped me find it. BTW, you are right, in windows it would be in the registry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CheckPoint\accepted_cn\site.name.com_Clients VPN Certificate

Sorry, the comment form is closed at this time.