Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ias_gc-dk
Contributor

https inspection on R80.30 JHF 219 - SAN error on client

Hi

I have a problem with HTTPS inspection and SAN cert on R80.30 JHF 219.

 

The scenario:

HTTPS inspection is enabled with a self-signed cert from the gateway itself and imported unto the clients.

Application Control, URL filtering and IP Sec VPN is enabled.

HTTPS inspection policy is default.

 

The clients get a cert error when connecting to their company website, which is hosted at a third party hosting-partner.

The certificate coming from 3.party contains these details:

  • CN = companyname.dk
  • Issuer = Let's Encrypt

Subject Alt Names:

Public Key info:

  • Algorithm = Elliptic Curve
  • Key Size = 384
  • etc etc etc.

When you access the website, it redirects you to https://www.companyname.dk and this is where it gives an error on the client when https inspection is enabled. Disabling HTTPS inspection makes it work normally.

 

Looking in the firewall log I see this:

HTTPS Validation: Invalid CRL Retrived

Resource: www.companyname.dk

Description: www.companyname.dk Detected

Description: No Valid CRL. Certificate DN) 'CN=companyname.dk' Requested Server Name: www.companyname.dk.

 

It looks to me like the firewall does not like that the FQDN that the request gets redirected to is not the one in CN.

Can I do something about that, generally, so HTTPS inspection takes SAN into consideration?

 

Something regarding this should have been fixed in our version (219), but not enough I guess: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... (article refers to SAN only being checked first time, should have been fixed in version 195)

 

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

This might be a bug and I highly recommend a TAC case.
You can potentially work around this by disabling CRL checking in SmartDashboard (shown here):

Screen Shot 2021-06-24 at 7.57.31 AM.png

0 Kudos