This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL Decryption Issues

Is anyone else noticing issues with SSL inspection recently? we've just had the new core agent 2023.1.0.73 deployed on our estate and seeing a vast amount of websites being blocked 'the encryption used by this server hosting the URL is insecure' downgrading our core agent to the previous version completely removes this problem. 

As you can see from the screenshot this is a Cisco website using TLS 1.3 but is being blocked..... 

2023-06-05T07:15:33.716Z [18416:24736] I [clienthello] connection:0x17c6083ae70 sni:sso.cisco.com ip:72.163.4.70 flowId:98923 decision:decrypt source:snf_cache
2023-06-05T07:15:33.728Z [18416:24736] E SSL_do_handshake returned SSL error= 1 reason=338 error:00000001:lib(0)::reason(1) SSL*=0000017C5F1ACB80
2023-06-05T07:15:33.729Z [18416:24736] E Failed to set up SSL MITM encryption: Unrecoverable SSL error during handshake(): error:00000152:lib(0)::reason(338)
2023-06-05T07:15:33.737Z [18416:24248] E SSL_do_handshake returned SSL error= 5 reason=0 error:00000005:lib(0)::reason(5) SSL*=0000017C5F1ACB80
2023-06-05T07:15:33.737Z [18416:24248] E UnrecoverableError in hasOutput() for flowId=94696 side=Right
2023-06-05T07:15:33.737Z [18416:24248] E SSL_do_handshake returned SSL error= 5 reason=0 error:00000005:lib(0)::reason(5) SSL*=0000017C5F1ACB80
2023-06-05T07:15:33.737Z [18416:24248] E UnrecoverableError in output() for flowId=94696 side=Right
2023-06-05T07:15:33.738Z [18416:24248] E SSL_do_handshake returned SSL error= 5 reason=0 error:00000005:lib(0)::reason(5) SSL*=0000017C5F1ACB80
2023-06-05T07:15:33.738Z [18416:24248] E UnrecoverableError in hasOutput() for flowId=94696 side=Right
2023-06-05T07:15:33.738Z [18416:24248] E SSL_do_handshake returned SSL error= 5 reason=0 error:00000005:lib(0)::reason(5) SSL*=0000017C5F1ACB80
2023-06-05T07:15:33.738Z [18416:24248] E UnrecoverableError in output() for flowId=94696 side=Right



This thread was automatically locked due to age.
Parents
  • I assume the error 338 is the most significant part of the message.

    #define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED   338

    I wonder if the server doesn't support "RFC 5746 secure renegotiation" and the client is using OpenSSL 3, which enforces that standard by default.

    If you look at the results of these sites here:

    https://testtls.com/sso.citrix.com/443

    https://testtls.com/sso.cisco.com/443

    Both are:

    Secure Renegotiation VULNERABLE

    I assume this is what is being picked up?

    Apple.com for example:https://testtls.com/apple.com/443

    Secure Renegotiation supported

    You could check if all the sites you see the error on align with the above scenario.

    I suppose you can turn of decryption for the site under: https://cloud.sophos.com/manage/endpoint/config/settings/ssl-tls-decryption

    The policy should end up in https_decrypt_excluded_sites under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[latest]\web_protection

    Does that help?

  • You could be onto something here, all the websites i've checked have come up with the similar results on the TLS checker, I've got a support case open i'll see what they say too. It's a shame they didn't tell us about these extra checks in the latest coreagent release if that's the case. 

  • Another option to test would be to use openssl, e.g:

    "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" s_client -tls1_2 -connect sso.citrix.com:443

    That returns "Secure Renegotiation IS NOT supported". If it is supported you can hit R and it will renegotiate, for the main domain it will work, e.g.:

    "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" s_client -tls1_2 -connect citrix.com:443

    The feature of SophosNetFiler.exe has always been there, I wonder if a shift to OpenSSL 3 is the change?

Reply
  • Another option to test would be to use openssl, e.g:

    "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" s_client -tls1_2 -connect sso.citrix.com:443

    That returns "Secure Renegotiation IS NOT supported". If it is supported you can hit R and it will renegotiate, for the main domain it will work, e.g.:

    "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" s_client -tls1_2 -connect citrix.com:443

    The feature of SophosNetFiler.exe has always been there, I wonder if a shift to OpenSSL 3 is the change?

Children
  • As suggested, access to the site is being blocked due to the server not supporting Secure Renegotiation and therefore considered vulnerable to CVE-2009-3555. This check was new to OpenSSL 3 which was updated in this release.

    To resolve the problem we will release an update of the 2023.1 Core Agent which disables the OpenSSL setting for now and we will investigate options to let customers determine whether they want to allow or block access to these sites. We expect to have that available next week. Customers who run into the problem can resolve most easily by allowing access to the site via Web Control policy or use Update Management policies to apply a previous Software Package.