EAP SSL-TLS Scanning: Category Exclusions and Firewallmanagement not working

Hi,

I already put those as comments below that article https://community.sophos.com/intercept-x-endpoint/early-access-program/b/blog/posts/https-policy-changes

As I'm unsure, if it's gettig read there, I post it her ein the EAP forums again.

I notice 2 issues so far with the new SSL / TLS Scanning of Intercept-X where it is acting as Man-in-the-Middle SSL Scanner.

1. I cannot manage my comanies Sophos XG and SG firewalls with firefox using windows store certificates (security.enterprise_roots.enabled true) anymore. Other browsers are working. The firewalls Webadmin is equipped with commercial wildcard certificate for *.owndomain.abc

SEC_ERROR_REUSED_ISSUER_AND_SERIAL

Excluding owndomain.abc as domain in Sophos Central SSL / TLS Settings is a workaround but we do not want it to be excluded.

When loading the firewall management website with IP https://123.123.123.123:4444 the same error appears with firefox.

2. Excluding Banking websites is not working - the Endpoint will still break SSL and re-encrypt the page as can be seen by the issueing CA. That's a no-go.

examples:

hsbc.co.uk Categorized URL - Finance/Banking Minimal Risk
bankofindia.co.in Categorized URL - Finance/Banking Minimal Risk

added info about firewall mgmt IP
[bearbeitet von: LHerzog um 2:12 PM (GMT -8) am 7 Dec 2021]

Top Replies

Travis_Dadmin over 2 years ago in reply to LHerzog +2

I certainly hope this gets fixed by Sophos soon. Myself and our IT Director are currently in the EAP testing the SSL Decrypt functionality on our workstations and we've been seeing the Firefox error with…

0 LHerzog over 2 years ago

skipping e.g. deutsche-bank.de (a german financial institute) with the URL Exclusion list, you can see, it is not scanning SSL:

Result is:

-------------------------

and now again removed the URL exclusion in Central:

scanned by Sophos
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LHerzog over 2 years ago in reply to LHerzog

excluding IP addresses or IP subnet's in Central does not work - the client is ignoring the setting and keeps hijacking SSL connection.

from help:
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LHerzog over 2 years ago in reply to LHerzog

does anyone care about the IP exclusions not working? What's the use of the EAP Forum then?

an update to "category exclusions" - that's now working. i interpreted the switches the opposite way. needs to be on/green to exclude.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 stoomart over 2 years ago in reply to LHerzog

This is my first week of running with SSL decryption turned on for my general work system and I'm seeing this same issue, and others.

- Accessing internal system managements interfaces using IPs excluded from decryption fail with PR_CONNECT_RESET_ERROR (firefox) and ERR_CONNECTION_RESET (chrome)

- Related to IP exclusions, accessing internal system management interfaces using non-FQDN names are not properly excluded

- Various sites fail intermittently with the error SEC_ERROR_REUSED_ISSUER_AND_SERIAL, then work after 10-15 seconds

- Some pages simply fail to load, such as https://chromereleases.googleblog.com/ or https://www.brightcloud.com/tools/url-ip-lookup.php

In general, there will need to be some serious reliability improvements to this component for us to enable this functionality across our organization.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LHerzog over 2 years ago in reply to stoomart

stoomart said:
- Various sites fail intermittently with the error SEC_ERROR_REUSED_ISSUER_AND_SERIAL, then work after 10-15 seconds

thats usually with firefox open while Sophos endpoint updates are installed in the background. Typical is IPS. had this today again. then you need to close all browser processes and start a fresh session. EP module updates break their ability to do the man in the middle SSL scan for opened browsers.

I can open both of your links fine, though, reencrypred by Sophos Endpoint RSA Root CA

then it happens, that they're not able to update their program
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LHerzog over 2 years ago in reply to LHerzog

LHerzog said:
Various sites fail intermittently with the error SEC_ERROR_REUSED_ISSUER_AND_SERIAL, then work after 10-15 seconds

that also happens when your network connectivity changes. You move with your notebook to a different location, plug LAN cable etc. Need to close and reopen browser.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Travis_Dadmin over 2 years ago in reply to LHerzog

I certainly hope this gets fixed by Sophos soon. Myself and our IT Director are currently in the EAP testing the SSL Decrypt functionality on our workstations and we've been seeing the Firefox error with all of our organization's URLs (we use a wildcard cert.) We've since exempted *.ourdomain.edu and it seems to have taken care of it, with the exception of our firewall's management panel, which we connect to via IP address. As you mentioned, Sophos is not honoring IP address exemptions. Thankfully, with it only being us two using that, and neither of us using Firefox as a primary browser, it's not a big deal for now.

However, given this plus other issues I'm seeing as suggested topics at the right, this feature still needs a lot of work before it sees general rollout.
Cancel
Vote Up +2 Vote Down

Sign in to reply

Verify Answer

Cancel