https://community.checkpoint.com/t5/Firewall-and-Security-Management/https-inspection-on-R80-30-JHF-219-SAN-error-on-client/m-p/121812#M17404 <P>Hi</P><P>I have a problem with HTTPS inspection and SAN cert on R80.30 JHF 219.</P><P>&nbsp;</P><P>The scenario:</P><P>HTTPS inspection is enabled with a self-signed cert from the gateway itself and imported unto the clients.</P><P>Application Control, URL filtering and IP Sec VPN is enabled.</P><P>HTTPS inspection policy is default.</P><P>&nbsp;</P><P>The clients get a cert error when connecting to their company website, which is hosted at a third party hosting-partner.</P><P>The certificate coming from 3.party contains these details:</P><UL><LI>CN = companyname.dk</LI><LI>Issuer = Let's Encrypt</LI></UL><P>Subject Alt Names:</P><UL><LI>&nbsp;DNS Name = companyname.dk</LI><LI>&nbsp;DNS Name = <A href="http://www.companyname.dk" target="_blank" rel="noopener">www.companyname.dk</A></LI></UL><P>Public Key info:</P><UL><LI>Algorithm = Elliptic Curve</LI><LI>Key Size = 384</LI><LI>etc etc etc.</LI></UL><P>When you access the website, it redirects you to <A href="https://www.companyname.dk" target="_blank" rel="noopener">https://www.companyname.dk</A> and this is where it gives an error on the client when https inspection is enabled. Disabling HTTPS inspection makes it work normally.</P><P>&nbsp;</P><P>Looking in the firewall log I see this:</P><P>HTTPS Validation: Invalid CRL Retrived</P><P>Resource: <A href="http://www.companyname.dk" target="_blank" rel="noopener">www.companyname.dk</A></P><P>Description: <A href="http://www.companyname.dk" target="_blank" rel="noopener">www.companyname.dk</A> Detected</P><P>Description: No Valid CRL. Certificate DN) 'CN=companyname.dk' Requested Server Name: <A href="http://www.companyname.dk" target="_blank" rel="noopener">www.companyname.dk</A>.</P><P>&nbsp;</P><P>It looks to me like the firewall does not like that the FQDN that the request gets redirected to is not the one in CN.</P><P>Can I do something about that, generally, so HTTPS inspection takes SAN into consideration?</P><P>&nbsp;</P><P>Something regarding this should have been fixed in our version (219), but not enough I guess: <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk118392" target="_blank" rel="noopener">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk118392</A> (article refers to SAN only being checked first time, should have been fixed in version 195)</P><P>&nbsp;</P> Tue, 22 Jun 2021 11:10:27 GMT ias_gc-dk 2021-06-22T11:10:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/https-inspection-on-R80-30-JHF-219-SAN-error-on-client/m-p/121812#M17404 <P>Hi</P><P>I have a problem with HTTPS inspection and SAN cert on R80.30 JHF 219.</P><P>&nbsp;</P><P>The scenario:</P><P>HTTPS inspection is enabled with a self-signed cert from the gateway itself and imported unto the clients.</P><P>Application Control, URL filtering and IP Sec VPN is enabled.</P><P>HTTPS inspection policy is default.</P><P>&nbsp;</P><P>The clients get a cert error when connecting to their company website, which is hosted at a third party hosting-partner.</P><P>The certificate coming from 3.party contains these details:</P><UL><LI>CN = companyname.dk</LI><LI>Issuer = Let's Encrypt</LI></UL><P>Subject Alt Names:</P><UL><LI>&nbsp;DNS Name = companyname.dk</LI><LI>&nbsp;DNS Name = <A href="http://www.companyname.dk" target="_blank" rel="noopener">www.companyname.dk</A></LI></UL><P>Public Key info:</P><UL><LI>Algorithm = Elliptic Curve</LI><LI>Key Size = 384</LI><LI>etc etc etc.</LI></UL><P>When you access the website, it redirects you to <A href="https://www.companyname.dk" target="_blank" rel="noopener">https://www.companyname.dk</A> and this is where it gives an error on the client when https inspection is enabled. Disabling HTTPS inspection makes it work normally.</P><P>&nbsp;</P><P>Looking in the firewall log I see this:</P><P>HTTPS Validation: Invalid CRL Retrived</P><P>Resource: <A href="http://www.companyname.dk" target="_blank" rel="noopener">www.companyname.dk</A></P><P>Description: <A href="http://www.companyname.dk" target="_blank" rel="noopener">www.companyname.dk</A> Detected</P><P>Description: No Valid CRL. Certificate DN) 'CN=companyname.dk' Requested Server Name: <A href="http://www.companyname.dk" target="_blank" rel="noopener">www.companyname.dk</A>.</P><P>&nbsp;</P><P>It looks to me like the firewall does not like that the FQDN that the request gets redirected to is not the one in CN.</P><P>Can I do something about that, generally, so HTTPS inspection takes SAN into consideration?</P><P>&nbsp;</P><P>Something regarding this should have been fixed in our version (219), but not enough I guess: <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk118392" target="_blank" rel="noopener">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk118392</A> (article refers to SAN only being checked first time, should have been fixed in version 195)</P><P>&nbsp;</P> Tue, 22 Jun 2021 11:10:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/https-inspection-on-R80-30-JHF-219-SAN-error-on-client/m-p/121812#M17404 ias_gc-dk 2021-06-22T11:10:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/https-inspection-on-R80-30-JHF-219-SAN-error-on-client/m-p/122058#M17451 <P>This might be a bug and I highly recommend a TAC case.<BR />You can potentially work around this by disabling CRL checking in SmartDashboard (shown here):</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2021-06-24 at 7.57.31 AM.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/12315i612154B918A8B0EE/image-size/medium?v=v2&amp;px=400" role="button" title="Screen Shot 2021-06-24 at 7.57.31 AM.png" alt="Screen Shot 2021-06-24 at 7.57.31 AM.png" /></span></P> Thu, 24 Jun 2021 14:58:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/https-inspection-on-R80-30-JHF-219-SAN-error-on-client/m-p/122058#M17451 PhoneBoy 2021-06-24T14:58:59Z