Re: HTTPS Inspection Probe Bypass on R80.20, shoul...

Alessandro_Marr · ‎2019-02-07

Hello, I´m using R80.20 Take 33, when I enable the flag enhanced_ssl_inspection some sites don´t open in browsers like chrome (version 58 or 71)... example: www.uol.com, www.bitcointrade.com.br...etc... any tips or sugestions?

Thank you.

Alessandro

Kim_Moberg · ‎2019-02-07

Hi Alessandro

Is it SNI domains your are trying to access?

Did you try to analyze and inspect domains via https://www.ssllab.com? It will show you certicate type and which encryption is enabled.

I had to enable some encryption protocol levels when using probe bypass.

Best regards

Kim

Best Regards
Kim

Emanuele_Lorenz · ‎2019-03-13

The behaviour has been changed, please look at sk104717:

Important:

In R80.10, before Jumbo Hotfix Accumulator for R80.10 Take 189, the probing feature is set, by default, to Fail Open.
From Take 189, the default behavior is changed to Fail Close.
You can return to the behavior as it was before Take 189, by setting bypass_on_enhanced_ssl_inspection 1

To set the default to Fail Open:

Run: fw ctl set int bypass_on_enhanced_ssl_inspection 1
In $FWDIR/modules/fwkern.conf, add this line: bypass_on_enhanced_ssl_inspection=1

The probing feature may fail in the following scenarios (and therefore it is not recommended):

Server requires an SNI extension in the SSL "Client hello" packet.
Missing cipher - The Security Gateway does not support any of the server allowed ciphers.
The server presents an incorrect certificate when SNI is not provided

To disable probing (Recommended):

Run: fw ctl set int enhanced_ssl_inspection 0
In $FWDIR/modules/fwkern.conf, add this line: enhanced_ssl_inspection=0

Are you a member of CheckMates?

HTTPS Inspection Probe Bypass on R80.20, should I enable?