cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

HTTPS Inspection, SNI and CN in generated certificate

We're having the following issue:

  • Security Gateway with Application Control/URL Filtering/HTTPS inspection (R80.10)
  • Improved HTTPS Inspection Bypass feature (Probe Bypass) as per sk104717 not enabled
  • Client wants to access a certain URL (let's call it https://host.inter.net/) and connects to IP of this host via port 443. IP is hosted on AWS
  • Client sends SNI in Client Hello with value of "host.inter.net"
  • Security Gateway performs HTTPS inspection and generates SSL certificate with Common Name of "*.us-east-1.es.amazonaws.com" and sends this to client in Sever Hello
  • Client sends TLS Alert "Bad Certificate" to server and closes connection

Obviously this is happening because the Security Gateway does not use the SNI sent from the client as the CN in the certificate it generates and presents to the client.

Does anyone else have this or similar issues? How do you work around it?

3 Replies

Re: HTTPS Inspection, SNI and CN in generated certificate

Hello,
we are facing simiar issues at a customers environment with SNI and don't really have a solution, yet.
This is a reason to attend R80.30 EA because of SNI improvement and I am curious about the testing results.
cheers
Vincent

and now to something completely different

Re: HTTPS Inspection, SNI and CN in generated certificate

same way on R80.20 Take 33

0 Kudos

Re: HTTPS Inspection, SNI and CN in generated certificate

Hiii Vincent Bacher‌ You can use Hotfix on the top of R80.10 jumbo take.

NOTE: Make sure that, that Hotfix is dependent on the jumbo take.

Also If somehow SNI is not able to verify then its work according to the CN.

 

I am not tested yet with R80.30 but from R80.30 onwards SNI is included with below improvements.

#Chinmaya Naik

  

0 Kudos