HTTPS Inspection, SNI and CN in generated certific...

Kilian_Huber · ‎2019-02-27

We're having the following issue:

Security Gateway with Application Control/URL Filtering/HTTPS inspection (R80.10)
Improved HTTPS Inspection Bypass feature (Probe Bypass) as per sk104717 not enabled
Client wants to access a certain URL (let's call it https://host.inter.net/) and connects to IP of this host via port 443. IP is hosted on AWS
Client sends SNI in Client Hello with value of "host.inter.net"
Security Gateway performs HTTPS inspection and generates SSL certificate with Common Name of "*.us-east-1.es.amazonaws.com" and sends this to client in Sever Hello
Client sends TLS Alert "Bad Certificate" to server and closes connection

Obviously this is happening because the Security Gateway does not use the SNI sent from the client as the CN in the certificate it generates and presents to the client.

Does anyone else have this or similar issues? How do you work around it?

Vincent_Bacher · ‎2019-02-27

Hello,
we are facing simiar issues at a customers environment with SNI and don't really have a solution, yet.
This is a reason to attend R80.30 EA because of SNI improvement and I am curious about the testing results.
cheers
Vincent

and now to something completely different

Alessandro_Marr · ‎2019-02-27

same way on R80.20 Take 33

Chinmaya_Naik · ‎2019-02-28

Hiii Vincent Bacher‌ You can use Hotfix on the top of R80.10 jumbo take.

NOTE: Make sure that, that Hotfix is dependent on the jumbo take.

Also If somehow SNI is not able to verify then its work according to the CN.

I am not tested yet with R80.30 but from R80.30 onwards SNI is included with below improvements.

#Chinmaya Naik

HTTPS Inspection, SNI and CN in generated certificate