Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 11581 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Command line download using wget ( and SSL ) freezes after connecting.

Bryan Lucas

Good Day!

I've recently run into a bit of an issue with Sophos XG Home. There have been multiple posts about SSL here, so I apologize if the solution has already been mentioned & I didn't see it. In my case, I've started using a script that uses wget to grab a file from Amazon AWS. Wget seems to connect just fine, but then just times out after a minute or so. Setting web filter to "Allow All" doesn't resolve this, but turning off web filtering under my default policy allows the connection to complete & the file to be downloaded. I mention SSL because the output from wget before the timeout is "Connecting to s3.amazonaws.com[54.231.114.116]:443... connected." I'm not decrypting SSL traffic, so it's about as basic of a setup that you can get.  Is this related to others' issues, or have I stumbled upon something else?

Thanks in advance,

Bryan



This thread was automatically locked due to age.
Parents
  • 0

    Bryan,

    check your Web logs and see what is blocked when you launch the script.

    You can find the Web Logs from the log viewer on top of the Control Center (top-right)

    Thanks

  • 0 in reply to lferrara

    Thanks for the quick response.

    Web logs show no blocked traffic at all.  Tried looking under any of the other logs for blocked / denied requests...  Found invalid traffic messages under the security policy log, but nothing that corresponds with launching the transfer.  I do have to mention that trying to grab the file by pasting it into a browser does succeed, though the browser complains that the site isn't secure (Amazon AWS).  It's not complaining of an invalid certificate - there seems to be a lack of one on Amazon's side.  If I can provide anything more to help, please let me know.

    Thanks,

     

    Bryan

  • 0 in reply to Bryan Lucas

    Bryan,

    connect to XG cli (using putty or whatever tool you like), Option 4 and use the command:

    drop-packet-capture "host 192.168.0.10"

    With quota (change the 192.168.0.10 with the internal host where the traffic is blocked). You can even write public ip instead of internal ip.

    See if traffic is blocked and post the result

    Thanks

  • 0 in reply to lferrara

    Still no blocked traffic reported.  Interestingly, wget works perfectly if I tell it NOT to connect to AWS with SSL.  There was another topic posted, and it's not the same issue I'm seeing, but the underlying problem may be the same:  https://community.sophos.com/products/xg-firewall/f/web-protection/75282/sophos-xg-breaks-ssl-when-connecting-to-outlook-anywhere - look at the second page of replies, both Michael Dunn and vishaljpatel posted a valid assessment.  It seems that the traffic doesn't make it through when wget requests an SSL page from a server that has no certificate.  A browser seems to handle the request & just show a warning icon, but something about the traffic passed to the command line utility isn't quite right.

  • +2 in reply to Bryan Lucas

    Hello Bryan

    As you are saying that the invalid certificate issue is from amazon end, you will have to do a wget using -no-check-certificate option. 

    Please try the following. 

    wget --no-check-certificate <fqdn>

    Regards,

  • 0 in reply to varunparikh

    After updating wget, this does actually work.  However, the question is:  "Is this intended behavior, or a bug that needs patching?"  It seems that an invalid cert or nonexistant cert shouldn't result in dropped traffic.  Wget is provided and referenced as part of a larger package in this case.  Let me know either way.  I'll inform the developers of the other app one way or another.

  • 0 in reply to Bryan Lucas

    Hello Bryan,

    An SSL error or invalid certificate error could cause due to multiple issues like expired certificate, self signed certificate from non-trusted CA, etc. 

    In this case, as an invalid certificate is being issued from the destination end, you will need to proceed ahead (as you would do on any browser after receiving the certificate error). 

    Since wget is not made to be interactive like the browser, if you encounter an SSL error or invalid certificate, you'll need to tell wget before connecting to the website if certificate needs to be checked. 

    Hope that helps. 

    Regards,

Reply
  • 0 in reply to Bryan Lucas

    Hello Bryan,

    An SSL error or invalid certificate error could cause due to multiple issues like expired certificate, self signed certificate from non-trusted CA, etc. 

    In this case, as an invalid certificate is being issued from the destination end, you will need to proceed ahead (as you would do on any browser after receiving the certificate error). 

    Since wget is not made to be interactive like the browser, if you encounter an SSL error or invalid certificate, you'll need to tell wget before connecting to the website if certificate needs to be checked. 

    Hope that helps. 

    Regards,

Children
No Data