Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 14 subscribers
  • Views 19947 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

blocked HTTPS websites only show SSL_ERROR_RX_RECORD_TOO_LONG when Web Control is enabled

LHerzog

users reported sites not loading showing the error SSL_ERROR_RX_RECORD_TOO_LONG.

this is caused by intercept X Web Control function.

When I disable this feature, the websites are loading fine.

example:

https://www.weihnachtsbaum-heidelberg.de

when I check the non https version of the sites, I get a correct error message from intercept X in browser:

example:

http://www.weihnachtsbaum-heidelberg.de

This is blocked to offensive content which is also wrong.

Firefox reports SSL_ERROR_RX_RECORD_TOO_LONG

IE just says the page cannot be displayed

Edge Chromium says ERR_SSL_PROTOCOL_ERROR

Sophos, what is the problem with the SSL_ERROR_RX_RECORD_TOO_LONG error, are you using a bad certificate in Intercept X?



This thread was automatically locked due to age.
Parents
  • 0

    other examples are XXX sites where we block nudity. http works, https is showing ssl error:

  • +1 in reply to LHerzog

    This is expected as the endpoint proxy doesn't man in the middle HTTPS so it can't inject a block/warn page as it does for HTTP.

    You should see the alert for it in the events report though in the UI.

    The upcoming replacement I gather will do SSL inspection at the client.

    You will also see in: "C:\ProgramData\Sophos\Health\Event Store\Trail\" the JSON for the alerts. These "events.sav.webcontrol.block" type events are set with "showNotification":false so there is no desktop popup from the UI up as you would be inundated potentially.

    The old "on-premise" client used to alert all with poups by default and there was a registry key to disable it back then: Service and Support (sophos.com)

Reply
  • +1 in reply to LHerzog

    This is expected as the endpoint proxy doesn't man in the middle HTTPS so it can't inject a block/warn page as it does for HTTP.

    You should see the alert for it in the events report though in the UI.

    The upcoming replacement I gather will do SSL inspection at the client.

    You will also see in: "C:\ProgramData\Sophos\Health\Event Store\Trail\" the JSON for the alerts. These "events.sav.webcontrol.block" type events are set with "showNotification":false so there is no desktop popup from the UI up as you would be inundated potentially.

    The old "on-premise" client used to alert all with poups by default and there was a registry key to disable it back then: Service and Support (sophos.com)

Children
  • 0 in reply to Sophos User930

    Thanks - great answer! It does not appear you are Sophos Staff. Are you?

    There are all those json files (will they ever be cleaned up?)

    {"resourceId":"events.sav.webcontrol.block","familyId":"{0072CE02-DFFE-4EB6-95FE-297DE91EA838}","counterName":"control","id":"{FEF78F50-82C0-4DB6-9D90-F9722DD25E96}","timeStamp":"2020-12-02T13:43:42Z","sequence":"12","showNotification":false,"app":"SAV","severity":1,"updateSummary":true,"userName":"xxxxxxxx","userSid":"xxxxxxxxx","path":"www.weihnachtsbaum-heidelberg.de","reboot":0}

    How long will it usually take that Sophos reviews a URL? The trustedsource review for UTM webfilter took usually less than 4h. Sophos now seems to take much more time

    is this the correct source for reviewing?

    https://support.sophos.com/support/s/filesubmission?language=en_US

  • 0 in reply to LHerzog
    LHerzog said:
    How long will it usually take that Sophos reviews a URL? The trustedsource review for UTM webfilter took usually less than 4h. Sophos now seems to take much more time

    Support is currently very slow. But that it also takes more than 2 weeks to get a URL recategorized is just a shame.

Unfiltered HTML