topic Re: err_ssl_protocol_error on a website in Browse

err_ssl_protocol_error on a website

Ilovecheckpoint — Thu, 21 Aug 2025 16:52:45 GMT

Hello,

A user needs to access a site which has a revoked certificate.

I accept to access on it, he does not need to authenticate or add any sensitive datas on it.

HTTPS inspection is not activate, but url filtering yes and it shows as Detect the revoked certificate

IPS and antivirus blades are activated as well.

The same pc connected to a different Internet connection can surf on it.

Categorizsed HTTPS website is activated as well, on general properties.

How can I grant user access to this site?

Re: err_ssl_protocol_error on a website

PhoneBoy — Thu, 21 Aug 2025 20:05:04 GMT

You posted this question in Harmony Browse space, yet you're asking this as if this is going through a gateway.
Confirm the product and versions/JHF in use.

In any case, by default, we validate the certificate ourselves and deny access if the certificate is revoked.
This can be changed.
In R82, this can be done in SmartConsole:

In R81.20 and earlier, it must be done in SmartDashboard:

In either case, it requires publishing and installing the Access Policy to take effect.

Re: err_ssl_protocol_error on a website

the_rock — Thu, 21 Aug 2025 21:03:20 GMT

Do you have screenshot of it?

Andy

Re: err_ssl_protocol_error on a website

the_rock — Thu, 21 Aug 2025 21:09:46 GMT

I think that server certificate setting is only applicable though if they have https inspection enabled?

Andy

Re: err_ssl_protocol_error on a website

PhoneBoy — Thu, 21 Aug 2025 21:39:31 GMT

It's also used as part of Verified SNI.

Re: err_ssl_protocol_error on a website

Ilovecheckpoint — Thu, 28 Aug 2025 14:56:21 GMT

Thank you for the information.

My version is R81.20 Take 99.

So even if HTTPS inspection has not been configured, the default option "Revoked server certificate" is performed, so it drop the communication.

Checking log, it shows only Detect and this let me think that the behaviour is not to block it, but just to inform, but I'm wrong.

If I'm going to disable this option, I understand it is global for all sites, I was hoping there was a way to create an exception.

Re: err_ssl_protocol_error on a website

PhoneBoy — Thu, 28 Aug 2025 19:32:09 GMT

Perhaps I was mistaken that this setting is used for Verified SNI.
It definitely is for HTTPS Inspection, and yes this is a global setting.
No action is required here, but that explains the error.

Re: err_ssl_protocol_error on a website

the_rock — Fri, 29 Aug 2025 19:27:12 GMT

I would definitely see if you can install R81.20 with recommended jumbo hotfix 105 and see if that fixes the issue.

Andy

Re: err_ssl_protocol_error on a website

Lesley — Fri, 29 Aug 2025 19:49:27 GMT

Try to make bypass rule above the current https inspection rule. Instead of url use the ip of the relevant website.

Re: err_ssl_protocol_error on a website

Ilovecheckpoint — Tue, 02 Sep 2025 11:40:20 GMT

I have noticed, for domains where I upgraded from R81.20 to R81.20, the install option is not enabled by default.

On domains where the firewall have been installed on R81.20, this option is enabled by default.

Re: err_ssl_protocol_error on a website

the_rock — Tue, 02 Sep 2025 12:04:03 GMT

Thats right.