topic Re: HTTPS Inspection, SNI and CN in generated certificate in General Topics

HTTPS Inspection, SNI and CN in generated certificate

Kilian_Huber — Wed, 27 Feb 2019 13:51:53 GMT

We're having the following issue:

Security Gateway with Application Control/URL Filtering/HTTPS inspection (R80.10)
Improved HTTPS Inspection Bypass feature (Probe Bypass) as per sk104717 not enabled
Client wants to access a certain URL (let's call it https://host.inter.net/) and connects to IP of this host via port 443. IP is hosted on AWS
Client sends SNI in Client Hello with value of "host.inter.net"
Security Gateway performs HTTPS inspection and generates SSL certificate with Common Name of "*.us-east-1.es.amazonaws.com" and sends this to client in Sever Hello
Client sends TLS Alert "Bad Certificate" to server and closes connection

Obviously this is happening because the Security Gateway does not use the SNI sent from the client as the CN in the certificate it generates and presents to the client.

Does anyone else have this or similar issues? How do you work around it?

Re: HTTPS Inspection, SNI and CN in generated certificate

Vincent_Bacher — Wed, 27 Feb 2019 14:16:23 GMT

Hello,
we are facing simiar issues at a customers environment with SNI and don't really have a solution, yet.
This is a reason to attend R80.30 EA because of SNI improvement and I am curious about the testing results.
cheers
Vincent

Re: HTTPS Inspection, SNI and CN in generated certificate

Alessandro_Marr — Wed, 27 Feb 2019 17:39:47 GMT

same way on R80.20 Take 33

Re: HTTPS Inspection, SNI and CN in generated certificate

Chinmaya_Naik — Thu, 28 Feb 2019 10:18:24 GMT

Hiii Vincent Bacher‌ You can use Hotfix on the top of R80.10 jumbo take.

NOTE: Make sure that, that Hotfix is dependent on the jumbo take.

Also If somehow SNI is not able to verify then its work according to the CN.

I am not tested yet with R80.30 but from R80.30 onwards SNI is included with below improvements.

#Chinmaya Naik