Anyone have a good list that's been developed for TLS Exclusion?

Hi DBASQL ,

TLS Exclusions highly depends on your own scenario and workplace; I don't recommend using randoms lists from other users for it, to be honest here I deeply recommend for you to build your own exclusion list.

If your workplace heavily uses browser based applications and you imported the CA correctly, then you will _almost_ never have issues with decryption. But depending on the application your users use - if it has certificate pinning then yes, you will have to create a exclusion for the necessary domain.

Thanks!

Hi DBASQL ,

TLS Exclusions highly depends on your own scenario and workplace; I don't recommend using randoms lists from other users for it, to be honest here I deeply recommend for you to build your own exclusion list.

If your workplace heavily uses browser based applications and you imported the CA correctly, then you will _almost_ never have issues with decryption. But depending on the application your users use - if it has certificate pinning then yes, you will have to create a exclusion for the necessary domain.

Thanks!

And that defeats the purpose of wanting to scan sites that you and your clients visit.

This caught my attention because today, after installing MR2 on my production XG210, I re-enabled the DPI engine and created a rule just for me to test.  Some sites work great, blazing fast, and some sites have problems whereby they are incredibly slow to load.  In an organization with 50+ people, I cannot tell our users to call me every time they run into a site that loads weird, I'd be on the phone all day and nobody would ever get anything done.

Maybe its just me but the DPI engine looks great on paper but performs horribly in the real world.  "Make an exclusion" isn't practical.  

Actually its the same "problem" you had in the proxy as well. 

If there would be a "automated process" this would destabilized the entire system. For example, having a attacker using a TLS connection, which would be decrypted, would lead to a exception. 

The point is, there are two differences between "This site is not working with DPI": 

A. The site/Service does not want you to do it. (Banking? Services by microsoft or apps?) 

B. There are technical difficults within the DPI Engine to decrypt this.

As Sophos is highly working on the case B, to resolve such issues (lets call them Bugs), for Case A you "should know, what apps your setup is using".

Case A will lead to a discussion, what should our user do in our network? What is allowed and what is not? If you allow all, you might end up with a huge list of exclusion. 

This issue is the same as HTTPs decryption was in UTM. 

LuCar,

"The internet," as in HTTPS websites, is the app that is breaking.  I have the XG certificate installed for MITM decryption.  It works perfectly well when using the web proxy engine.  But turn on the DPI engine and all of a sudden random sites become extremely slow.  If you look in the log file you will see this extremely helpful entry:

• reason="Dropped due to TLS engine error: FLOW_TIMEOUT[5]"

What does that mean?  Why does it happen?  How can it be fixed?  

"Make an exception" is not a useful answer.  

Flow Timeouts are more likely something from section B. Those are Bugs within the Engine and will be addressed in the future. 

The latest release MR3 has some very vague connotations regarding this hopefully scenario B has been addressed now.
I agree with Bill we cannot enable and then tell users sometimes its slow. It will be hard enough to whitelist exclusions in a 500 user environment.