Hi
I have a problem with HTTPS inspection and SAN cert on R80.30 JHF 219.
The scenario:
HTTPS inspection is enabled with a self-signed cert from the gateway itself and imported unto the clients.
Application Control, URL filtering and IP Sec VPN is enabled.
HTTPS inspection policy is default.
The clients get a cert error when connecting to their company website, which is hosted at a third party hosting-partner.
The certificate coming from 3.party contains these details:
- CN = companyname.dk
- Issuer = Let's Encrypt
Subject Alt Names:
Public Key info:
- Algorithm = Elliptic Curve
- Key Size = 384
- etc etc etc.
When you access the website, it redirects you to https://www.companyname.dk and this is where it gives an error on the client when https inspection is enabled. Disabling HTTPS inspection makes it work normally.
Looking in the firewall log I see this:
HTTPS Validation: Invalid CRL Retrived
Resource: www.companyname.dk
Description: www.companyname.dk Detected
Description: No Valid CRL. Certificate DN) 'CN=companyname.dk' Requested Server Name: www.companyname.dk.
It looks to me like the firewall does not like that the FQDN that the request gets redirected to is not the one in CN.
Can I do something about that, generally, so HTTPS inspection takes SAN into consideration?
Something regarding this should have been fixed in our version (219), but not enough I guess: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... (article refers to SAN only being checked first time, should have been fixed in version 195)
