Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 1077 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG v18 does not use the Common Name of the website certificate.

core_memory

For example
openssl s_client -connect www.sophos.com:443 -servername www.sophos.com
In this case, No decryption.  It is normal.

openssl s_client -connect www.sophos.com:443
In this case, decryption.
I think it's because there is no SNI (Server Name Indication).

The Common Name of the certificate is www.sophos.ccom. "sophos.com" is included in the "Managed TLS exclusion list".
In this case, there should be No decryption. Is this wrong?

If the client does not send the SNI, I want XG to use the Common Name.

Is KB-000035867 invalid?
support.sophos.com/.../KB-000035867

I also want XG to output the Common Name in the log.



This thread was automatically locked due to age.
Parents
  • 0

    If the client does not send SNI, the IP address is set to sni in the log. Is this related to the reason why CN is not used?

    And it's also bad that the categories are different for IPv4 and IPv6, and they are inconsistent.

    Web policy also does not use CN.

    IPv6
    sni="2001:db8::1"
    category="InvalidUrl"

    IPv4
    sni="198.51.100.1"
    category="IPAddress"

Reply
  • 0

    If the client does not send SNI, the IP address is set to sni in the log. Is this related to the reason why CN is not used?

    And it's also bad that the categories are different for IPv4 and IPv6, and they are inconsistent.

    Web policy also does not use CN.

    IPv6
    sni="2001:db8::1"
    category="InvalidUrl"

    IPv4
    sni="198.51.100.1"
    category="IPAddress"

Children
No Data