We are running Sophos Cloud Web Gateway on OSX.
We have SSL inspection enabled for most categories of URLS
We are getting a large number of "Failed (inbound error) to setup SSL MITM properly" errors - this causes the connection to be terminated.
It is mostly to trustworthy sources - google apple etc. From the logs it also seems to all be to sites that support TLSv1.2
After the error there is a second message Added .... to the 'Do Not MITM' list due to javax.net.ssl.SSLException: Received fatal alert: unknown_ca
Which seems to suggest that it should no longer be scanned in future - but the next request does the same.
Sample from the log is
2018-04-13 13:40:48.787 +1000 [SsPwapcWThW4bGHrP5O4ng] [IODriver 65000] WARN c.c.n.p.n.h.ProxySslProtocolNioHandler - Failed (inbound error) to setup SSL MITM properly (
inboundHandshakeInfo=ClientHello[
Version=TLSv1.2,
ServerNameIndicationList=[6d 61 70 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d maps.googleapis.com],
SupportedCipherSuites=[
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, ......, TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
],
realDest=172.217.25.138:443)
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at com.sophos.cloud.standard.commons.ssl.NeverBlockingSslChannel._recvAndUnwrap(NeverBlockingSslChannel.java:503)
at com.sophos.cloud.standard.commons.ssl.NeverBlockingSslChannel._doAsyncHandshake(NeverBlockingSslChannel.java:857)
at com.sophos.cloud.standard.commons.ssl.NeverBlockingSslChannel.sslNeedFulfilled(NeverBlockingSslChannel.java:228)
at com.sophos.cloud.standard.commons.nio.driver.ssl.SslHandshakeBaseHandler.readable(SslHandshakeBaseHandler.java:75)
at com.clutchmobile.netguard.proxy.nio.handler.ProxySslProtocolNioHandler$ContextualSslHandshakeHandler.readableInContext(ProxySslProtocolNioHandler.java:415)
at com.clutchmobile.netguard.proxy.nio.handler.ProxySslProtocolNioHandler$ContextualSslHandshakeHandler.readable(ProxySslProtocolNioHandler.java:402)
at com.clutchmobile.netguard.proxy.nio.handler.ProxySslProtocolNioHandler$ContextualSslHandshakeHandler.readable(ProxySslProtocolNioHandler.java:357)
at com.sophos.cloud.standard.commons.nio.driver.IODriver$NioObjectWithHandler.readable(IODriver.java:199)
at com.sophos.cloud.standard.commons.nio.driver.IODriver._handleSelectedKey(IODriver.java:737)
at com.sophos.cloud.standard.commons.nio.driver.IODriver.handleSelectedKeys(IODriver.java:654)
at com.sophos.cloud.standard.commons.nio.driver.IODriver.drive(IODriver.java:605)
at com.clutchmobile.netguard.proxy.thread.tcp.nio.IODriverThread.run(IODriverThread.java:56)
2018-04-13 13:40:48.790 +1000 [SsPwapcWThW4bGHrP5O4ng] [IODriver 65000] WARN c.c.n.p.s.SSLProxyPreferenceService - Added 172.217.25.138:443 (SNI: maps.googleapis.com) to the 'Do Not MITM' list due to javax.net.ssl.SSLException: Received fatal alert: unknown_ca
This thread was automatically locked due to age.
