Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 28 replies
  • Answers 2 answers
  • Subscribers 34 subscribers
  • Views 114957 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Decrypt and Scan HTTPS invalidates HTTPS certificates

LanhamRattan

I suppose I need to better understand Decrypt and Scan HTTPS Malware Scanning.  I noticed that when browse HTTPS site  the cert is replaced by the Sophos Cert.  So, my question is why and how to troubleshoot. If I turn Decrypt off then all is fine.



This thread was automatically locked due to age.
Parents
  • 0

    Hello,

     

    Thank you for the great explanations on the issue.

    I currently have the Decrypt and scan HTTPS turned off. I go to Google's web site and still get the

    'NET::ERR_CERT_AUTHORITY_INVALID'. Error?

    I am using the VMware virtual configuration on ESXi 5.5. I have configured a Netgear router ao the same IP subnet as the Xg on 172.16.16.16.

    That way I can quickly flip back and forth to test and get back to normal Internet access.

    I do want to use this feature in time, but right now I am trying to get the XG just up and running normally, and then work on enabling more features and security.

    If I have Decrypt and scan HTTPS turned off, why would I still get the error or issue?

    I have been a Astaro ver.7 through UTM ver 9 user, so the XG is / has a bit of a steep learning curve for me. Learning to ride the bike all over again of sorts.

    I had issues with my UTM, and the old CPU up and died on me so I decided to bite the bullet and start over on XG. Love the features.

    When I switch back to XG I will look into trying to download that cert as suggested in one of the post.

    Right now I am looking for a simple quick and easy fix so I no longer get the 'NET::ERR_CERT_AUTHORITY_INVALID'. Error.

    Any specific settings to post in a update post to this, if it helps to figure out what I have set or not set correct or need to turn off or on or additional rule? My XG is very close to a basic default install with one default firewall rule.

    Sincerely,

    Chad

     

     

Reply
  • 0

    Hello,

     

    Thank you for the great explanations on the issue.

    I currently have the Decrypt and scan HTTPS turned off. I go to Google's web site and still get the

    'NET::ERR_CERT_AUTHORITY_INVALID'. Error?

    I am using the VMware virtual configuration on ESXi 5.5. I have configured a Netgear router ao the same IP subnet as the Xg on 172.16.16.16.

    That way I can quickly flip back and forth to test and get back to normal Internet access.

    I do want to use this feature in time, but right now I am trying to get the XG just up and running normally, and then work on enabling more features and security.

    If I have Decrypt and scan HTTPS turned off, why would I still get the error or issue?

    I have been a Astaro ver.7 through UTM ver 9 user, so the XG is / has a bit of a steep learning curve for me. Learning to ride the bike all over again of sorts.

    I had issues with my UTM, and the old CPU up and died on me so I decided to bite the bullet and start over on XG. Love the features.

    When I switch back to XG I will look into trying to download that cert as suggested in one of the post.

    Right now I am looking for a simple quick and easy fix so I no longer get the 'NET::ERR_CERT_AUTHORITY_INVALID'. Error.

    Any specific settings to post in a update post to this, if it helps to figure out what I have set or not set correct or need to turn off or on or additional rule? My XG is very close to a basic default install with one default firewall rule.

    Sincerely,

    Chad

     

     

Children
  • 0 in reply to cmp828

    If the XG is trying to redirect you to a captive portal login page or display a block page it will still do a decrypt and scan. 

    If you go past the warning, what do you get?

    UTM and XG behave pretty much the same way with regards to HTTPS, just the configuration screens are different.

  • 0 in reply to cmp828

    Chad, if you are still getting an invalid certificate, then HTTPS Decrypt and Scan is *NOT* turned off or, by, some magic, your browser is still using the same session it did previously and thus getting the error.  Double check all the rules, make sure D&S is unchecked, close your browser window, re-open, and try again.  Worst case, reboot the Sophos box.  Should not be necessary, but hey, stranger things have happened.

    Also - do this - check the certificate that you are getting - Make sure it is still the XG's certificate.... The certificate should say it is issued by Sophos SSL CA_xxxxxxxx or SophosCA_xxxxxxxxx.  Honestly I can't remember which is the default, it has been so long since I used it. (We use a custom CA issued by our enterprise PKI). Only reason I suggest that is to make sure we are indeed dealing with the Sophos HTTPS D&S and not some other software.  Again - stranger things...

  • 0 in reply to ChavousCamp

    Hello,

     

    I did another factory reset and it is off and not getting the issue. When I do decide to enable it, Looks like I will need to add the XG local certificate to all my machines / browsers.

    I am on call from work this week so not really making any changes or enabling any more features or rules to XG right now, but Monday the 26th of Dec. I will start to enable more features and functions. Thank you for the information.

    Chad