Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 30 subscribers
  • Views 930 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS Decrypt and Scan Encountering Warning Pages

ptho

Hey Sophos,

We've recently been testing Packet Inspection / HTTPS Decryption and was mostly a success, but some sites were presenting the below, even when we had the appliance cert installed. Can someone shed some light as to what was causing this? Note that it wasn't all sites, just a handful:

Many Thanks



This thread was automatically locked due to age.
Parents
  • 0

    The message means: The Firewall can#t check the Server-identity.
    This is not a problem from SSL-decryption certificate at the client.
    Check the webserver, there must be an issue with the SSL-Server certificate.
    I use https://testtls.com or www.ssllabs.com/.../ for this.

    You may post the server-url here.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hi Dirk,

    We pushed the appliance certificate (SecurityAppliance_SSL_CA) located under Certificates > Certificate Authorities. This same certificate is set under Web > General Settings > HTTPS scanning certificate authority (CA) to be used as the designated CA.

    Devices with the certificate above worked mostly, and those without the certificate got blocks on every page. Those with the certificate only got blocks on certain pages, or using certain services.

    As soon as we turned Packet Inspection off, the site was accessible as before Packet Inspection was enabled. There aren't any other firewall rules in use that would supersede this one with Decrypt HTTPS during web proxy filtering checked, so I'm at a loss as to what would cause this.

Reply
  • 0 in reply to dirkkotte

    Hi Dirk,

    We pushed the appliance certificate (SecurityAppliance_SSL_CA) located under Certificates > Certificate Authorities. This same certificate is set under Web > General Settings > HTTPS scanning certificate authority (CA) to be used as the designated CA.

    Devices with the certificate above worked mostly, and those without the certificate got blocks on every page. Those with the certificate only got blocks on certain pages, or using certain services.

    As soon as we turned Packet Inspection off, the site was accessible as before Packet Inspection was enabled. There aren't any other firewall rules in use that would supersede this one with Decrypt HTTPS during web proxy filtering checked, so I'm at a loss as to what would cause this.

Children
  • 0 in reply to ptho

    Hi,

    some sites do not like inspections eg Apple, so you have an exception list, there is one provided by Sophos and then you can create your own. If the site must be inspected then you need to look at the web proxy.

    Michael Dunn's explanation

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi Ian,

    Thanks for the reference. I did find that article, that but perhaps I missed something. Can you clarify where this list is, how we enable or include it in our configuration? Can we then add to this list, or use multiple lists?

    Can you also clarify what you mean by looking at the web proxy in the latter half of your post?

  • 0 in reply to ptho

    Hi,

    the list is in GUI -> Profiles -> Decryption.

    The list is used automatically by the default SSL/TLS rule and is not user editable. You can create your own for use with your SSL/TLS rules.

    If you want to ensure a site is scanned you use the WEB Proxy assuming the ports you want scanned are web ports. Again not all sites work correctly with scanning, Apple being one.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I would expect that these few websites use CA's that the XG does not come shipped with.

    So from time to time it's required to add some CA's to the certificate store of the XG.

    Check the cert chain with the tools mentioned

    dirkkotte said:
    I use https://testtls.com or www.ssllabs.com/.../ for this.

    and search the certificate store for them.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?