This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kilian_Huber
Participant
‎2019-02-27 05:51 AM

HTTPS Inspection, SNI and CN in generated certificate

We're having the following issue:

  • Security Gateway with Application Control/URL Filtering/HTTPS inspection (R80.10)
  • Improved HTTPS Inspection Bypass feature (Probe Bypass) as per sk104717 not enabled
  • Client wants to access a certain URL (let's call it https://host.inter.net/) and connects to IP of this host via port 443. IP is hosted on AWS
  • Client sends SNI in Client Hello with value of "host.inter.net"
  • Security Gateway performs HTTPS inspection and generates SSL certificate with Common Name of "*.us-east-1.es.amazonaws.com" and sends this to client in Sever Hello
  • Client sends TLS Alert "Bad Certificate" to server and closes connection

Obviously this is happening because the Security Gateway does not use the SNI sent from the client as the CN in the certificate it generates and presents to the client.

Does anyone else have this or similar issues? How do you work around it?

3 Replies
Vincent_Bacher
Advisor
‎2019-02-27 06:16 AM

Hello,
we are facing simiar issues at a customers environment with SNI and don't really have a solution, yet.
This is a reason to attend R80.30 EA because of SNI improvement and I am curious about the testing results.
cheers
Vincent

and now to something completely different
Alessandro_Marr
Advisor
‎2019-02-27 09:39 AM
In response to Vincent_Bacher

same way on R80.20 Take 33

0 Kudos
Chinmaya_Naik
Advisor
‎2019-02-28 02:18 AM

Hiii Vincent Bacher‌ You can use Hotfix on the top of R80.10 jumbo take.

NOTE: Make sure that, that Hotfix is dependent on the jumbo take.

Also If somehow SNI is not able to verify then its work according to the CN.

 

I am not tested yet with R80.30 but from R80.30 onwards SNI is included with below improvements.

#Chinmaya Naik

  

0 Kudos
Labels