This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maciej_Maczka
Contributor
‎2020-02-07 07:04 AM

SSL inspection bypass for Signal app

Hi,

 

Did someone manage to configure SSL Inspection bypass for Signal app on R80.30 based on custom application?

I have ssl enhanced inspection enabled, 1 rule with custom application (textsecure-service.whispersystems.org) with action bypass, and second rule to inspect everything. Signal traffic always hits second rule.

 

In logs I can find:

First SSL Inspection log: textsecure-service.whispersystems.org Detected

Second SSL Inpsection log: Matched Category: Uncategorized, HTTPS Inspected

 

So it looks that aplication (url) is detected properly but NGFW still want's to inspect it.

 

 

Best Regads,

Maciej

 

 

9 Replies
PhoneBoy
Admin
Admin
‎2020-02-07 10:39 AM

Properly redacted screenshots of the relevant log cards and rules used will be helpful.
0 Kudos
Danny
MVP Platinum
MVP Platinum
‎2020-02-07 10:46 AM

Regarding to this Signal support article you will need to bypass wildcard URLs, https and UDP.

Allowing all UDP Traffic will make your firewall vulnerable to the UDP hole punching attack.

0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2020-02-07 12:45 PM

This works fine with other URL's on our FW's.

Is your https inspection enabled? I think so.

https_interception2.jpg

More read here
R80.x - Performance Tuning Tip - SNI vs. https inspection
or here:
HTTPS Inspection and website categorization improvements introduced in R80.30

If that doesn't help! Please some pictures of the https settings.

 

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Maciej_Maczka
Contributor
‎2020-02-10 05:19 AM

Hi,

 

as requested adding config and logs screenshots.

 

Best Regards,

Maciej

blades2.png

blades3.png

blades4.png

fw.png

log2.png

logs.png

logs3.png

ssl_inspect.png

ssl_inspect2.png

blades1.png

          

0 Kudos
PatrikSkoglund
Contributor
‎2020-02-10 05:41 AM
In response to Maciej_Maczka

I've this issue when I can't bypass by using domain names. I've to use IP:s. I guess it has to do with certificate pinning. But I might be wrong. But as soon as the traffic is intercepted the application fails. So get signals(in this case) ip-range and make a bypass rule for that. See if it works!
0 Kudos
Maciej_Maczka
Contributor
‎2020-02-10 06:16 AM
In response to PatrikSkoglund

Hi,

 

There is certificate pinning. But I don't want to inspect. Bypass should work as I see certificate cn.
Yes, bypass works for IP addresses.


According to: sk104717 in R80.30 probe bypass was introduced - enabled by default.


Bypass mechanism was improved to better reflect policy and resolve the above limitations:

  • Stop the inspection of the first connection to bypassed sites.
  • Allow bypass of Non-Browser Applications connections.
  • Allow Bypass of connections to servers that require client certificate.
  • New probing mechanism eliminates the need to inspect the first connection to an IP address unless it is required by the policy.


Limitation.

HTTPS Inspection will not work for sites that require SNI (Server Name Indication) extension in the SSL "Client hello" packet. (Server Name Indication is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.)

 

There is SNI inside Client Hello, but I do not want to inpsect. I want to bypass so this limitation is irrelevant.


Best Regards

Maciej

 

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-11 03:37 PM
In response to Maciej_Maczka

What if you set the category for your custom site to one you are bypassing?
Might also be worth a TAC case.
0 Kudos
abihsot__
Advisor
‎2020-02-17 11:40 PM
In response to Maciej_Maczka

Hi there,

I have few ideas. First of all inspection rule any any is not recommended. Please try to define source and destination.

For some reason this url is not categorized as custom app but is matched as uncategorized. In custom app (signal) settings tick the box urls are defined as regular expressions and modify url to .*textsecure-service.whispersystems.org.*.

 

I see that server is using self-signed certificate. Try importing it to trusted CA list. I see you have drop traffic from untrusted servers unchecked, but it is quick try so worth checking.

* Server certificate:
* subject: C=US; ST=California; O=Open Whisper Systems; OU=Open Whisper Systems; CN=textsecure-service.whispersystems.org
* start date: Feb 15 17:38:17 2019 GMT
* expire date: Mar 12 18:20:20 2029 GMT
* issuer: C=US; ST=California; L=San Francisco; O=Open Whisper Systems; OU=Open Whisper Systems; CN=TextSecure
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.

0 Kudos
User1234
Contributor
‎2022-06-02 06:49 AM

Any news or solutions to that?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events