Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 1079 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG v18 does not use the Common Name of the website certificate.

core_memory

For example
openssl s_client -connect www.sophos.com:443 -servername www.sophos.com
In this case, No decryption.  It is normal.

openssl s_client -connect www.sophos.com:443
In this case, decryption.
I think it's because there is no SNI (Server Name Indication).

The Common Name of the certificate is www.sophos.ccom. "sophos.com" is included in the "Managed TLS exclusion list".
In this case, there should be No decryption. Is this wrong?

If the client does not send the SNI, I want XG to use the Common Name.

Is KB-000035867 invalid?
support.sophos.com/.../KB-000035867

I also want XG to output the Common Name in the log.



This thread was automatically locked due to age.
Parents
  • 0

    Be aware the domain "*.sophos.com" and "sophos.com" is on a Hidden Rule called "System Exclusions", which can't be altered in any way by the Administrator User.

    Also, I've didn't managed to replicate this with any other domain, could you give a better domain & server for this example?

    Edit:

    I've created a "Decrypt" Rule on top of everything, and those are my results after disabling the predefined "Exclusions" Rule at the top.

    2021-01-03 11:43:36SSL/TLS inspectionmessageid="19004" log_type="SSL" log_component="SSL" log_subtype="Do not decrypt" severity="Information" user="###" src_ip="10.0.0.10" dst_ip="23.38.159.25" user_group="Auth Group" src_country="" dst_country="USA" src_port="50800" dst_port="443" app_name="" app_id="0" category="Software Updates" category_id="68" con_id="1437700480" rule_id="0" profile_id="1" rule_name="System exclusions" profile_name="Maximum compatibility" bitmask="Valid" key_type="KEY_TYPE__RSA" key_param="RSA 2048 bits" fingerprint="9c:7e:d6:2d:3d:71:bd:f6:65:1f:e1:79:b3:b4:fc:e8:c1:1d:58:14" resumed="0" cert_chain_served="TRUE" cipher_suite="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" sni="www.sophos.com" tls_version="TLS1.2" reason="" exception="" message=""

    $ openssl s_client -connect www.sophos.com:443                           
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
verify return:1
depth=0 businessCategory = Private Organization, serialNumber = 02096520, jurisdictionC = GB, C = GB, ST = Oxfordshire, L = Abingdon, street = The Pentagon, O = Sophos Ltd., CN = www.sophos.com
verify return:1
---
Certificate chain
 0 s:businessCategory = Private Organization, serialNumber = 02096520, jurisdictionC = GB, C = GB, ST = Oxfordshire, L = Abingdon, street = The Pentagon, O = Sophos Ltd., CN = www.sophos.com
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign


    $ openssl s_client -connect www.sophos.com:443 -servername www.sophos.com
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
verify return:1
depth=0 businessCategory = Private Organization, serialNumber = 02096520, jurisdictionC = GB, C = GB, ST = Oxfordshire, L = Abingdon, street = The Pentagon, O = Sophos Ltd., CN = www.sophos.com
verify return:1
---
Certificate chain
 0 s:businessCategory = Private Organization, serialNumber = 02096520, jurisdictionC = GB, C = GB, ST = Oxfordshire, L = Abingdon, street = The Pentagon, O = Sophos Ltd., CN = www.sophos.com
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign

    Here's what's interesting from the Logs.

    • rule_id="0"
    • rule_name="System exclusions"
    • profile_name="Maximum compatibility"
    • sni="www.sophos.com"

    Thanks!

  • 0 in reply to Prism

    Thank you for your reply.
    I see, there is a rule called "System exclusions".

    Another example is "www.mozilla.org".
    The Common Name of the certificate is "www.mozilla.org". "mozilla.org" is included in the "Managed TLS exclusion list".

    openssl s_client -connect www.mozilla.org:443 -servername www.mozilla.org
    In this case, No decryption.
    rule_id="1"
    rule_name="Exclusions by website or category"

    openssl s_client -connect www.mozilla.org:443
    In this case, decryption.
    rule_id is not "1".

Reply
  • 0 in reply to Prism

    Thank you for your reply.
    I see, there is a rule called "System exclusions".

    Another example is "www.mozilla.org".
    The Common Name of the certificate is "www.mozilla.org". "mozilla.org" is included in the "Managed TLS exclusion list".

    openssl s_client -connect www.mozilla.org:443 -servername www.mozilla.org
    In this case, No decryption.
    rule_id="1"
    rule_name="Exclusions by website or category"

    openssl s_client -connect www.mozilla.org:443
    In this case, decryption.
    rule_id is not "1".

Children
No Data