cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Outbound https inspection and SNI on R80.20

Jump to solution

Hi!

I am a bit confused about https inspection and SNI-support.

We are running r80.20 take 80 with https inspection and we alse have enabled the "Categorize HTTPS websites" for non https-inspection machines.

Lately we encounter strange behaviours with websites running in Cloudflare.

ssllabs shows: "This site works only in browsers with SNI support." and most of them only supports ESCDA cipher suites that is only supported from the gateway to the server in R80.20

 

One example of the behaviour

Client using chrome (same issue with other browsers) to access https://oauth.net

Pcap from the client: Client web browser sends Client Hello , SNI=oauth.net

The gateway tries to connect to the server and tries the supported cipher suites.

Pcap from the gateway: After a while (after failing several times without sending ECDSA ciphers) they connect with the supported ECDSA cipher and the server sends correct SAN-names:
*.oauth.net, sni.cloudflare.com and oauth.net


Pcap from the client:

The client recieves wrong SAN-names: api2.hitta.se and sni.cloudflare.com and the web browser displays a certificate warning.


All wrong SAN-names displayed are also hosted on cloudflare, so my theory is that the firewall has cached the SAN-names and the corresponding ip-address.

After hitting F5 alot of times and accepting the wrong certificate the client can connect.

 

My questions:

Why is the client getting wrong SAN-names from the gateway?

Is there a https-cache (SAN-names to corresponding ip-address) that is causing this?

If so, can it be cleared?

Is there a way to get around this issue without disabling https-inspection to the cloudflare /14 subnet without upgrading to R80.30?

Adding screenshots of the behaviour.

 

0 Kudos
1 Solution

Accepted Solutions

Re: Outbound https inspection and SNI on R80.20

Jump to solution

We have the same issue. I've run a lengthy ticket with Check Point. It's fixed in R80.30 and won't be fixed in R80.20.

View solution in original post

7 Replies

Re: Outbound https inspection and SNI on R80.20

Jump to solution

We have the same issue. I've run a lengthy ticket with Check Point. It's fixed in R80.30 and won't be fixed in R80.20.

View solution in original post

Re: Outbound https inspection and SNI on R80.20

Jump to solution

Do you know if this is caused because we are running https-inspection + having "Categorize HTTPS websites" enabled at the same time?

0 Kudos
mdjmcnally
Silver

Re: Outbound https inspection and SNI on R80.20

Jump to solution

I'll be honest I don't know as normally I always have 1 or the other enabled, not both.

 

The R77.30 has more information in it's help where says that is basically ignores the option if HTTPS Inspection is enabled, but I couldn't state 100% that is true still for R80.x.

0 Kudos
mdjmcnally
Silver

Re: Outbound https inspection and SNI on R80.20

Jump to solution

Not saying will fix this however there are a number of enhancements for SNI and HTTPS Inspection in R80.20 i Jumbo Take 117.

There is a new GA Take 127 that has this.

Might possibly be worth looking at patching to this.

 

Normally you should only have the Categorise HTTPS sites when not doing HTTPS Inspection.

The R77.30 contains this in the information.

 

The Categorize HTTPS sites option does not run if:

  • HTTPS Inspection is enabled.
  • There is a proxy between the destination site and the firewall (or the firewall functions as a proxy).

    The destination site is categorized according to IP address. The site URL is extracted from the SSL CONNECT request the client sends to the Proxy.

 

Don't know if that is changed with R80 to be honest.

0 Kudos

Re: Outbound https inspection and SNI on R80.20

Jump to solution
The Categorize HTTPS websites is set SmartConsole. I want it disabled on the fw that is running https-inspection. Enabled on the others. Not sure how to achieve that?
0 Kudos
mdjmcnally
Silver

Re: Outbound https inspection and SNI on R80.20

Jump to solution

It is a Global Setting is either on or off, which then goes to ALL Firewalls in that Management System.

0 Kudos

Re: Outbound https inspection and SNI on R80.20

Jump to solution
Yes. Both on should work from R80.20.
0 Kudos