This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Paolo_Francese
Contributor
‎2019-05-14 07:35 AM
Jump to solution

Is there SNI support for inbound HTTPS inspection in R80.20?

Hi,

on gws R80.20 can I do HTTPS inspection on inbound connections that require SNI since on the server there are some virtual hosts with different certificates? If yes how?

 

Thanks in advance

 

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-11-05 11:21 PM
In response to SolidBE
Jump to solution

I checked with our experts in R&D and, provided you are on R80.30, you should be able to achieve it.
It should also work on R80.20 JHF 117 and above, but not sure it was tested there.

You can import the certificates into the gateway, create different custom application with each URL, and create an HTTPS Inspection rule with different certificate for each custom certificate similar to the following:

image001.png

View solution in original post

0 Kudos
25 Replies
PhoneBoy
Admin
Admin
‎2019-05-17 10:16 AM
Jump to solution

Not sure why it is necessary to inspect the SNI since the HTTPS Inspection sees the actual URL.
A more relevant question might be: do we duplicate the SNI from the client as part of the connection we made to the server?
Not sure.
Paolo_Francese
Contributor
‎2019-05-21 02:14 AM
In response to PhoneBoy
Jump to solution

Sorry, maybe I was not clear enough. My question is: is there SNI support in R80.20?

What I would like to do is inspect HTTPS traffic that go toward some virtual hosts running on a server behind CP gws. Every virtual host has its own certificate.

Thanks
Kosin_Usuwanthi
Collaborator
‎2019-05-21 03:24 AM
In response to Paolo_Francese
Jump to solution

Not sure is this your expect.

R80.30

State-of-the-Art HTTPS Inspection: New SSL Inspection Patent Pending Technologies. Delivering the power to inspect SSL-encrypted network traffic with secure SNI verification improvements.

PhoneBoy
Admin
Admin
‎2019-05-21 08:29 AM
In response to Paolo_Francese
Jump to solution

Most of the requests for support for SNI are usually about Outbound Inspection.
More specifically, it's to see what site is really being accessed without resorting to HTTPS Inspection.

With inbound HTTPS Inspection, the connection will terminate on the gateway.
This requires the private certificate of the site in question.
We'll be able to see the exact URL the end user specifies in this case.
As such, we don't need SNI.

A network diagram would be very helpful to understand what you're trying to achieve.
Michele_Gullia
Employee
Employee
‎2019-09-27 08:43 AM
In response to PhoneBoy
Jump to solution

"With inbound HTTPS Inspection, the connection will terminate on the gateway.
This requires the private certificate of the site in question.
We'll be able to see the exact URL the end user specifies in this case."

 

The URL is encrypted in the TLS sessions so the gateway needs to see the SNI, read what host the client needs to reach and select the right certificate to expose. 

So in my opinion the SNI support it's necessary in inboud https inspection

 

PhoneBoy
Admin
Admin
‎2019-09-27 03:51 PM
In response to Michele_Gullia
Jump to solution

The URL being accessed is part of the HTTP request, which doesn't require SNI to see.
I've also never heard of anyone having inbound SNI issues.
In any case, we do SNI validation as part of R80.30.

0 Kudos
Paolo_Francese
Contributor
‎2019-09-30 02:12 AM
In response to PhoneBoy
Jump to solution

What I do not understand is:

if I've a HTTPS server with only one IP and 10 virtual hosts, this server is behind a CP firewall how can I inspect traffic?

I cannot use HTTPS inspection because I've 10 certificates and only one IP, writing HTTPS inspection rule require to have one IP and one certificate, or am I wrong?

B-)

0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-30 08:25 AM
In response to Paolo_Francese
Jump to solution

With 10 different certificates, it definitely would not work.
At a minimum, you'd have to create a new certificate that would be valid for all 10 hosts.
Specifically, it would have to list all 10 hosts in the Subject Alternate Name (SAN) field.
This will allow the remote browser to validate the certificate regardless of which of the 10 hosts you're ultimately accessing.
This certificate would then be used for Inbound SSL Inspection for all 10 sites.
Again, none of this has anything to do with SNI, which only matters when we're not terminating the TLS connection.

What I don't know is whether or not you can leave the certificate as-is on the other hosts.
Assuming the Security Gateway can validate those certificates as valid, I assume it would still work.
Alejandro_Ferna
Explorer
‎2019-10-15 03:05 AM
In response to PhoneBoy
Jump to solution

We have more than a hundred certificates in the same webserver (half of them are wildcards) and adding/replacing every month. To use only one certificate, even a SAN certificate, is not an option for us.

Do you know if it's there any chance to allow more than one certificate assigned to the same destination host for the https inbound analysis rules?

Regards!

0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-19 02:17 PM
In response to Alejandro_Ferna
Jump to solution

This is not possible because of how TLS works, i.e. it's not a Check Point specific limitation.
Specifically, the server must present its server certificate before the client can communicate what host it is connecting to via SNI.
As such, the server certificate must be valid for all possible servers accessible from that IP address.
0 Kudos
Jelle_Hazenberg
Collaborator
Collaborator
‎2019-11-20 08:43 AM
In response to PhoneBoy
Jump to solution

Hi @PhoneBoy,

Based on what you are saying here:

"Specifically, the server must present its server certificate before the client can communicate what host it is connecting to via SNI." 

I don't believe that is true.

From: RFC 6066

3. Server Name Indication

   TLS does not provide a mechanism for a client to tell a server the
   name of the server it is contacting.  It may be desirable for clients
   to provide this information to facilitate secure connections to
   servers that host multiple 'virtual' servers at a single underlying
   network address.
   In order to provide any of the server names, clients MAY include an
   extension of type "server_name" in the (extended) client hello.

 

When the client supports SNI it will send the server name (in the extended field) in the client hello for the server (in our scenario the Check Point) to determine which certificate to send back. 

The whole process of selecting which certificate to present / send is based on the SNI extension of the TLS protocol.

The reason that we use SNI is because with the use of TLS there is no way for the server to determine the HTTP host header because it is encapsulated in a TLS header.

So, without the use (support) of SNI the server cannot determine which certificate to send back to the client and  if configured, it just throws "a" certificate which without the use of SAN would result in a "Untrusted Certificate" warning in your browser.

 

Regards,

 

Jelle

 

PhoneBoy
Admin
Admin
‎2019-11-21 02:13 AM
In response to Jelle_Hazenberg
Jump to solution

I read that after I had posted my original message 😬
In any case, this should work in R80.30 with the configuration I've detailed elsewhere in the thread.
0 Kudos
Kosin_Usuwanthi
Collaborator
‎2019-09-30 09:50 PM
In response to Paolo_Francese
Jump to solution

Hi 

For my case I need to block external user to access some website behide the gateway.

I have use custom application tool (sk103051) for custom SSL traffic with SNI. It works for blocked some website from same IP address.

0 Kudos
SolidBE
Explorer
‎2019-11-05 05:52 AM
In response to PhoneBoy
Jump to solution

Hi,

When hosting different websites with different certificates (no wildcard) on the same IP address, it is not possible to configure this at the moment, so I guess this means there is no SNI support for inbound HTTPS?

Regards,

Erik

0 Kudos
PhoneBoy
Admin
Admin
‎2019-11-05 06:37 AM
In response to SolidBE
Jump to solution

Again, this issue has nothing to do with (lack of) SNI support.
It's a function of how TLS works.
If a given IP serves multiple HTTPS websites, the certificate presented must be valid for all the websites.
0 Kudos
SolidBE
Explorer
‎2019-11-05 06:53 AM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

It is possible to configure multiple independent certificates (different domains, so no wildcard possible) on a single IP. This only works with browsers and webservers that support SNI. But since this is currently not configurable in the HTTPS inspection I suppose this feature is not supported.

Or will it work if we add multiple rules with the same source IP, destination IP and port number, but different inbound certificates?

Regards,

Erik

0 Kudos
PhoneBoy
Admin
Admin
‎2019-11-05 07:07 AM
In response to SolidBE
Jump to solution

Not sure it works that way, but you can try it on R80.30 or R80.20 JHF 117 or later.
0 Kudos
PhoneBoy
Admin
Admin
‎2019-11-05 11:21 PM
In response to SolidBE
Jump to solution

I checked with our experts in R&D and, provided you are on R80.30, you should be able to achieve it.
It should also work on R80.20 JHF 117 and above, but not sure it was tested there.

You can import the certificates into the gateway, create different custom application with each URL, and create an HTTPS Inspection rule with different certificate for each custom certificate similar to the following:

image001.png

0 Kudos
dannys
Employee Alumnus
Employee Alumnus
‎2019-11-07 02:33 AM
In response to PhoneBoy
Jump to solution

You will also be able to achieve this on R80.20 JHF 118 and above.

0 Kudos
Michele_Gullia
Employee
Employee
‎2019-11-19 09:47 AM
In response to PhoneBoy
Jump to solution

It does not work. policy installation fail because "“rule 1 si not valid because its site category column must contain only the any object (inbound rule)."
0 Kudos
dannys
Employee Alumnus
Employee Alumnus
‎2019-11-20 07:09 AM
In response to Michele_Gullia
Jump to solution

Hi Michele,

This scenario has been tested in the QA department.
Please contact me and I'll try to help you.

Regards,
Danny
henryck
Participant
‎2020-10-28 02:41 PM
In response to dannys
Jump to solution

Danny, I am experiencing the same verification issue in the latest take R80.40

I've tried multiple variations of creating the https inspection policy using application (unified policy), can you expand on the above as I feel like I'm missing something. I can open a case with TAC otherwise but have not found much in the documentation to say this is supported. 

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-10-20 12:31 PM
Jump to solution

Hi @Paolo_Francese ,

R80.20 with enabled HTTPS interception:

If the https interseption is enabled, the parameter host from http can be used for the url because the traffic is analyzed by active streaming. Check Point Active Streaming (CPAS) allow the changing of data, we play the role of “man in the middle”. CPAS breaks the connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.). An application is register to CPAS when a connection start and supply callbacks for event handler and read handler. Several protocols uses CPAS, for example: HTTPS, VoIP (SIP, Skinny/SCCP, H.323, etc.), Security Servers processes, etc. CPAS breaks the HTTPS connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.) 

More read here: R80.x Security Gateway Architecture (Content Inspection) 

 

R80.20 without enabled HTTPS interception:

If the https interseption is disabled, SNI is used to recognize the virtual URL for application control and url filtering.

More read here: URL Filtering using SNI for HTTPS websites.pdf 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion
‎2019-10-20 12:54 PM
In response to HeikoAnkenbrand
Jump to solution

Better use R80.30:-)

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-24 06:31 PM
In response to HeikoAnkenbrand
Jump to solution

R80.20 with JHF 117 and above apparently has the improved SNI support.
If you're on an earlier JHF, we are not looking at SNI.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events