Anyone have a good list that's been developed for TLS Exclusion?

Please remember that the current version does not scan UDP, so the site list will grow.

ian

Hi DBASQL ,

TLS Exclusions highly depends on your own scenario and workplace; I don't recommend using randoms lists from other users for it, to be honest here I deeply recommend for you to build your own exclusion list.

If your workplace heavily uses browser based applications and you imported the CA correctly, then you will _almost_ never have issues with decryption. But depending on the application your users use - if it has certificate pinning then yes, you will have to create a exclusion for the necessary domain.

Thanks!

And that defeats the purpose of wanting to scan sites that you and your clients visit.

This caught my attention because today, after installing MR2 on my production XG210, I re-enabled the DPI engine and created a rule just for me to test.  Some sites work great, blazing fast, and some sites have problems whereby they are incredibly slow to load.  In an organization with 50+ people, I cannot tell our users to call me every time they run into a site that loads weird, I'd be on the phone all day and nobody would ever get anything done.

Maybe its just me but the DPI engine looks great on paper but performs horribly in the real world.  "Make an exclusion" isn't practical.  

Actually its the same "problem" you had in the proxy as well. 

If there would be a "automated process" this would destabilized the entire system. For example, having a attacker using a TLS connection, which would be decrypted, would lead to a exception. 

The point is, there are two differences between "This site is not working with DPI": 

A. The site/Service does not want you to do it. (Banking? Services by microsoft or apps?) 

B. There are technical difficults within the DPI Engine to decrypt this.

As Sophos is highly working on the case B, to resolve such issues (lets call them Bugs), for Case A you "should know, what apps your setup is using".

Case A will lead to a discussion, what should our user do in our network? What is allowed and what is not? If you allow all, you might end up with a huge list of exclusion. 

This issue is the same as HTTPs decryption was in UTM. 

LuCar,

"The internet," as in HTTPS websites, is the app that is breaking.  I have the XG certificate installed for MITM decryption.  It works perfectly well when using the web proxy engine.  But turn on the DPI engine and all of a sudden random sites become extremely slow.  If you look in the log file you will see this extremely helpful entry:

• reason="Dropped due to TLS engine error: FLOW_TIMEOUT[5]"

What does that mean?  Why does it happen?  How can it be fixed?  

"Make an exception" is not a useful answer.  

Flow Timeouts are more likely something from section B. Those are Bugs within the Engine and will be addressed in the future. 

Thanks for the replies! I have only done a test group so and that seems to work well. I was just thinking of all the possibilities here and trying to gauge how bad this is going to be. Are users constantly asking at the beginning that kind of thing.
I seems using the self signed cert is more beneficial for long term now that "real" certs have to be changed out so frequently. Is that the method most are using?

Based on what Bill is saying we are in the know on the DPI engine having problems? I def cannot knowingly activate this if there are known issues with sites dropping or similar. Honestly it seems like such a huge undertaking that I am not surprised.

Following restrictions announced by Apple about improving security on the web, the international regulation of SSL certificates is changing. The Certificate Authorities (CA) have agreed to reduce the lifetime of an SSL certificate to 12 months maximum. This measure will take effect September 1, 2020.

The latest release MR3 has some very vague connotations regarding this hopefully scenario B has been addressed now.
I agree with Bill we cannot enable and then tell users sometimes its slow. It will be hard enough to whitelist exclusions in a 500 user environment.