Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 8510 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What does "Block unrecognized SSL protocols" blocks?

Juan David Arango

Hi Community,

I really try to find some info about this, but a persona ask me about what exactly this option do and I didn't found any clue yet.

When it says that the unrecognized SSL protocols will be block, the XG will block SSL old protocols too? What exactly does this option blocks?

I will appreciate any comment about this.



This thread was automatically locked due to age.
Parents
  • 0

    Hey  

    Please take a look at this KB Article for further explanation.

    Block unrecognized SSL protocols: Stop traffic that avoids HTTPS scanning by using invalid SSL protocols.
    I hope this helps clear up the confusion!

    Regards, 
  • 0 in reply to FloSupport

    When I enable this, I notice a bunch of log messages for SYSTEM that show IP addresses being blocked, most of which appear to be coming from Apple and Facebook.

    Some questions for you smart folks:

    1. Is it common for companies to use proprietary SSL protocols that Sophos doesn't recognize and will be blocked? For a home user, would you recommend enabling or disabling the "Block unrecognized SSL protocols" setting? My understanding is the risk you're buying by disabling this feature is a hacker could use an unrecognized SSL protocol to bypass your firewall.

    2. Is there any way to easily add certain domains/IP ranges to bypass this feature?

  • 0 in reply to shred

    Hi,

    This option is useful to give your clients blockpage, if the target page is not correct signed. 

    As you know, for HTTPs Inspection, you do a man in the middle attack. So basically all pages are correct signed for the client, because he only sees the XG CA, which signs all pages. And if the XG connects to a target page with a "corrupt" or wrong certificate, it will block it and gives the client a block page. 

  • 0 in reply to LuCar Toni

    Thanks for the reply. I understand how it works, I guess my question is more of why a company like Apple would have “corrupt” certificates.

    My only guess is they’re using proprietary certificates to prevent connections to their servers from being decrypted. If so, I’m assuming I could setup a web exception for HTTPS Decryption but there doesn’t appear to be an easy way to add Apple servers without looking at the IP address being blocked and adding each one individually. I got to about 13 addresses before I gave up because that method doesn’t seem feasible.

    For now, I just disabled the feature altogether.

  • 0 in reply to shred

    Hey Shred,

    sounds like something else is wrong with your configuration? I have that feature enabled and can access the Apple update sites without any issues. I have one rule with https scanning for MACs and one rule for phones and iPads without https scanning and all devices access the stores and updates without any issues. 

    Now depending on which version of IOS your are running there have been issues with Apple doing something wrong and then fixing in the next release.

    At one stage I found connecting the device directly then connecting through the XG also worked until Apple broke it again. At the moment all devices are connecting correctly.

    A survey site I access has broken SSL and have to disable the tab.

    Ian

  • 0 in reply to rfcat_vk

    I don’t have any issues with my Apple devices. My question is more for my own edification, not necessarily anything I’m having issues with (at least that I know about). Specifically, why companies (such as Apple) use invalid SSL certificates (see my post above). It’s not a major issue as I have simply disabled the feature for now, but it’s pretty apparent Apple devices try to access Apple servers (for what service, I don’t know) using an invalid SSL certificate. I just enjoy learning why things work the way they do.

Reply
  • 0 in reply to rfcat_vk

    I don’t have any issues with my Apple devices. My question is more for my own edification, not necessarily anything I’m having issues with (at least that I know about). Specifically, why companies (such as Apple) use invalid SSL certificates (see my post above). It’s not a major issue as I have simply disabled the feature for now, but it’s pretty apparent Apple devices try to access Apple servers (for what service, I don’t know) using an invalid SSL certificate. I just enjoy learning why things work the way they do.

Children
  • 0 in reply to shred

    Hi Shred,

    I don't think it is invalid SSL protocols on the Apple website, but something in the OS updates, I have that box ticked and all my Apple devices connect without complaining. But as I said I have one site that fails SSL testing and I am waiting on their responses to two requests I submitted.

    Ian

     

    Of course experimenting and learning at the same time is fun as long as the family doesn't get upset too much.

  • 0 in reply to rfcat_vk

    Hey Shred,

    a little bit of extra stuff, I occasionally get reports of ultrasurf access from my network and on previous investigations I have found that some apple sites are mis-categorised.

    Ian