Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kilian_Huber
Contributor

HTTPS Inspection, SNI and CN in generated certificate

We're having the following issue:

  • Security Gateway with Application Control/URL Filtering/HTTPS inspection (R80.10)
  • Improved HTTPS Inspection Bypass feature (Probe Bypass) as per sk104717 not enabled
  • Client wants to access a certain URL (let's call it https://host.inter.net/) and connects to IP of this host via port 443. IP is hosted on AWS
  • Client sends SNI in Client Hello with value of "host.inter.net"
  • Security Gateway performs HTTPS inspection and generates SSL certificate with Common Name of "*.us-east-1.es.amazonaws.com" and sends this to client in Sever Hello
  • Client sends TLS Alert "Bad Certificate" to server and closes connection

Obviously this is happening because the Security Gateway does not use the SNI sent from the client as the CN in the certificate it generates and presents to the client.

Does anyone else have this or similar issues? How do you work around it?

3 Replies
Vincent_Bacher
Advisor
Advisor

Hello,
we are facing simiar issues at a customers environment with SNI and don't really have a solution, yet.
This is a reason to attend R80.30 EA because of SNI improvement and I am curious about the testing results.
cheers
Vincent

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Alessandro_Marr
Advisor

same way on R80.20 Take 33

0 Kudos
Chinmaya_Naik
Advisor

Hiii Vincent Bacher‌ You can use Hotfix on the top of R80.10 jumbo take.

NOTE: Make sure that, that Hotfix is dependent on the jumbo take.

Also If somehow SNI is not able to verify then its work according to the CN.

 

I am not tested yet with R80.30 but from R80.30 onwards SNI is included with below improvements.

#Chinmaya Naik

  

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events