Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 29 subscribers
  • Views 1315 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windowsupdate 0x80240437 0x80245006 TLS

Sop Hos3

Just for your info.

Windows 10 devices had trouble updating with resulting error 0x80245006

There were no usefull errors on my XG 18 firewall, just "HTTP parsing error encountered."

At that time I start changing firewall rules which did not help.

Then checked the Sophos Log viewer again with only the SSL/TLS inspection Module.

There were som Green/Blue slots, does not look like a error to me but checking the url's there were some Microsoft domains.

I have put these Microsoft Domains in the "Local TLS exclusion list" and Windows 10 devices start updating.

Why are those Domains not on Sophos TLS Exclusions list??

 

These are the domains I have put on "Local TLS exclusion list"  (don't think they all have to be there but worked for me)

slscr.update.microsoft.com, licensing.mp.microsoft.com, fe3cr.delivery.mp.microsoft.com, client.wns.windows.com, fe2cr.update.microsoft.com



This thread was automatically locked due to age.
  • 0

    Hi,

    you can do it a number of ways, one is the way you did or you can add extras to the existing web exception list which is probably better value for when you start to create your own dpi rules.

    i found the if I allowed all the updates through and then removed the general access firewall rule, the updates flow correctly.

    There was another thread on this subject earlier.

    ian

  • 0
    There were som Green/Blue slots
    • Blue Lock = Decrypted Connection
    • Green Lock = Inspected Connection - Will check SNI/Ciphers/URL Category/TLS version and so on.
    • Red Lock = Error, It will show on the right side why the TLS connection failed.

     

    Why are those Domains not on Sophos TLS Exclusions list??

    Most of them are, the primarily ones are the ones that can't be MITM.

     

    I believe, since It's not giving you "Red Locks" - That the TLS Connection can be decrypted and inspected, but the DPI Engine is failing because there's some invalid http traffic over the connection. By executing the command above, It will pass it correctly.

    And by putting those domains on the Exclusion List, the DPI Engine won't decrypt them, making it impossible to see inside the connection, and failing because of the invalid http traffic. (I believe this is why it worked.)

     

    Thanks!

  • 0 in reply to rfcat_vk

    Thanks,

    I have searched for a solution and did not find it, that's why I put my solution here

  • 0 in reply to Prism

    If you use

    Prism said:
    set http_proxy relay_invalid_http_traffic on

    Then you leave a big hole in your security. See Allow specific URLs but block non-URL 443 traffic

    Read from the verified answer by and my follow-ups

  • 0 in reply to JasP

    Thanks for the link, I didn't saw this before.