blocked HTTPS websites only show SSL_ERROR_RX_RECORD_TOO_LONG when Web Control is enabled

users reported sites not loading showing the error SSL_ERROR_RX_RECORD_TOO_LONG.

this is caused by intercept X Web Control function.

When I disable this feature, the websites are loading fine.

example:

https://www.weihnachtsbaum-heidelberg.de

when I check the non https version of the sites, I get a correct error message from intercept X in browser:

example:

http://www.weihnachtsbaum-heidelberg.de

This is blocked to offensive content which is also wrong.

Firefox reports SSL_ERROR_RX_RECORD_TOO_LONG

IE just says the page cannot be displayed

Edge Chromium says ERR_SSL_PROTOCOL_ERROR

Sophos, what is the problem with the SSL_ERROR_RX_RECORD_TOO_LONG error, are you using a bad certificate in Intercept X?



link truncated
[bearbeitet von: LHerzog um 2:41 PM (GMT -8) am 2 Dec 2020]
Parents
  • other examples are XXX sites where we block nudity. http works, https is showing ssl error:

  • This is expected as the endpoint proxy doesn't man in the middle HTTPS so it can't inject a block/warn page as it does for HTTP.

    You should see the alert for it in the events report though in the UI.

    The upcoming replacement I gather will do SSL inspection at the client.

    You will also see in: "C:\ProgramData\Sophos\Health\Event Store\Trail\" the JSON for the alerts. These "events.sav.webcontrol.block" type events are set with "showNotification":false so there is no desktop popup from the UI up as you would be inundated potentially.

    The old "on-premise" client used to alert all with poups by default and there was a registry key to disable it back then: Service and Support (sophos.com)

Reply
  • This is expected as the endpoint proxy doesn't man in the middle HTTPS so it can't inject a block/warn page as it does for HTTP.

    You should see the alert for it in the events report though in the UI.

    The upcoming replacement I gather will do SSL inspection at the client.

    You will also see in: "C:\ProgramData\Sophos\Health\Event Store\Trail\" the JSON for the alerts. These "events.sav.webcontrol.block" type events are set with "showNotification":false so there is no desktop popup from the UI up as you would be inundated potentially.

    The old "on-premise" client used to alert all with poups by default and there was a registry key to disable it back then: Service and Support (sophos.com)

Children
  • Thanks - great answer! It does not appear you are Sophos Staff. Are you?

    There are all those json files (will they ever be cleaned up?)

    {"resourceId":"events.sav.webcontrol.block","familyId":"{0072CE02-DFFE-4EB6-95FE-297DE91EA838}","counterName":"control","id":"{FEF78F50-82C0-4DB6-9D90-F9722DD25E96}","timeStamp":"2020-12-02T13:43:42Z","sequence":"12","showNotification":false,"app":"SAV","severity":1,"updateSummary":true,"userName":"xxxxxxxx","userSid":"xxxxxxxxx","path":"www.weihnachtsbaum-heidelberg.de","reboot":0}

    How long will it usually take that Sophos reviews a URL? The trustedsource review for UTM webfilter took usually less than 4h. Sophos now seems to take much more time

    is this the correct source for reviewing?

    https://support.sophos.com/support/s/filesubmission?language=en_US

  • How long will it usually take that Sophos reviews a URL? The trustedsource review for UTM webfilter took usually less than 4h. Sophos now seems to take much more time

    Support is currently very slow. But that it also takes more than 2 weeks to get a URL recategorized is just a shame.