Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 4053 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ssl_handshake: Input/output error Are only logs in Web Filter

Jacob B

Since reenabling the "decrypt and scan" transparent part of the UTM that acts of my gateway, the only logs I see in Web Filtering are these.  Just tons and tons of these.  Never any actual connections, URLs, user agents, or categories (as it used to be).  This makes it REALLY hard to troubleshoot when a certain application or website does not work (but disabling Web Filtering WILL cause that application to work so I know the issue resides with that feature) since I do not know what it tried to access or how it was blocked.  Restarted endpoints, applications, the Sophos UTM, Web Filtering all do not matter.  Suffice to say, this is very annoying; does anyone have any suggestions?  Thank you.

 

Certificates for the Decrypt function are installed on the endpoints to remediate those warnings.  I warn on "uncategorized" and for some applications, you'll never see this unless you look in the logs to see where it was trying to connect to.  For the end user they'll just be stuck waiting for a load or get a generic error.

 

2019:06:30-17:23:34 SophosUTM httpproxy[31761]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xcc0ff800" function="ssl_connect" file="ssl.c" line="1654" message="ssl_handshake: Input/output error"
2019:06:30-17:23:44 SophosUTM httpproxy[31761]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xd0c40e00" function="ssl_connect" file="ssl.c" line="1654" message="ssl_handshake: Input/output error"
2019:06:30-17:23:55 SophosUTM httpproxy[31761]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xd11c2300" function="ssl_connect" file="ssl.c" line="1654" message="ssl_handshake: Input/output error"
2019:06:30-17:24:05 SophosUTM httpproxy[31761]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc86b9100" function="ssl_connect" file="ssl.c" line="1654" message="ssl_handshake: Input/output error"
2019:06:30-17:24:15 SophosUTM httpproxy[31761]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xd1028700" function="ssl_connect" file="ssl.c" line="1654" message="ssl_handshake: Input/output error"
2019:06:30-17:24:26 SophosUTM httpproxy[31761]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xd1685c00" function="ssl_connect" file="ssl.c" line="1654" message="ssl_handshake: Input/output error"
2019:06:30-17:24:36 SophosUTM httpproxy[31761]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x1143aa00" function="ssl_connect" file="ssl.c" line="1654" message="ssl_handshake: Input/output error"
2019:06:30-17:24:46 SophosUTM httpproxy[31761]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xd04f9c00" function="ssl_connect" file="ssl.c" line="1654" message="ssl_handshake: Input/output error"
2019:06:30-17:24:57 SophosUTM httpproxy[31761]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc80a7500" function="ssl_connect" file="ssl.c" line="1654" message="ssl_handshake: Input/output error"
2019:06:30-17:25:07 SophosUTM httpproxy[31761]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xd076d500" function="ssl_connect" file="ssl.c" line="1654" message="ssl_handshake: Input/output error"
2019:06:30-17:25:18 SophosUTM httpproxy[31761]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xd17ebc00" function="ssl_connect" file="ssl.c" line="1654" message="ssl_handshake: Input/output error"
2019:06:30-17:25:28 SophosUTM httpproxy[31761]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xdcd2c700" function="ssl_connect" file="ssl.c" line="1654" message="ssl_handshake: Input/output error"
2019:06:30-17:25:38 SophosUTM httpproxy[31761]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xa5f7100" function="ssl_connect" file="ssl.c" line="1654" message="ssl_handshake: Input/output error"
2019:06:30-17:25:49 SophosUTM httpproxy[31761]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xdcd2d500" function="ssl_connect" file="ssl.c" line="1654" message="ssl_handshake: Input/output error"
2019:06:30-17:25:59 SophosUTM httpproxy[31761]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xd0604e00" function="ssl_connect" file="ssl.c" line="1654" message="ssl_handshake: Input/output error"
2019:06:30-17:26:10 SophosUTM httpproxy[31761]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xcc0fc000" function="ssl_connect" file="ssl.c" line="1654" message="ssl_handshake: Input/output error"
 
The forums, to post a new message or join a group, do not seem to work with well with the latest version of Chrome?


This thread was automatically locked due to age.
Parents
  • 0

    Hello Jacob,

    Welcome to the Community!

    Have you changed any ciphers in HTTPProxy recently or before enabling the Decrypt & Scan? And is the device on version 9.603?

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    Hi Jaydeep,

     

    Thanks for replying!

    Version is:  Firmware version: 9.603-1

     

    I have not changed the ciphers.

     

    Anything else you wish me to check or take screenshots of?

     

    Thanks.

     

  • 0 in reply to Jacob B

    Thanks for the update.

    It might be with the certificate being used for Decrypt and Scan but it will require to dig a lot deeper to identify this issue. If you have a licensed product, please create a case, this might be a rare occurrence where HTTP Proxy fails to open a secure connection. If you're using a Home License, I'll PM you the next steps to check the details.

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    Hi Jaydeep,

     

    I am using a home license, so please let me know what you wish me to do.

     

    I did regenerate, and install on all endpoints, the encrypt/decrypt certificates that the UTM uses for its "man in the middle" decryption process.

     

    Items in the encrypted channel still seem to get blocked (or allowed with an exception), so I believe the decrypt and scan is still taking place.  For instance, I've had to add SSL decryption exceptions for various sites like Google products or Streaming media, and doing so has allowed these services and sites to work properly again.

     

    Thanks.

  • 0 in reply to Jacob B

    Hi Jacob,


    Thanks for the update. I'll send you a DM, please reply there.

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    Hi

    I recently posted a similar question relating to apps on an iPad generating the below format of error messages:

    2019:06:10-11:09:44 hadrian httpproxy[5329]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="read_request_headers" file="request.c" line="1626" message="Read error on the http handler 87 (Input/output error)"

    DouglasFoster very kindly responded with the below:

    In my experience, "input/output error" means "could negotiate a ciphersuite acceptable to both devices".    Disabling https inspection for that URL should solve the problem.

    In my prior research, I determined that UTM uses a FIPS-certified version of OpenSSL, and they are limited because OpenSSL.org has been slow to deploy a FIPS module for the newer versions of the OpenSSL libraries.   You can use "openssl version" from the ssh environment to check the version of OpenSSL on your UTM.

    I had a look at UTM's OpenSSL version and I see what he means; whilst my laptop (Debian) is using 1.1.0j (20 Nov 2018), UTM is using 1.0.2j-fips (26 Sep 2016). I also had a look at the OpenSSL information page (www.openssl.org/.../fips.html) and it looks like they'll not be validating anything else until OpenSSL 1.1.1 has been released.

    I'm finding this issue cropping up a lot with iThing apps (the BBC Weather app being the latest one that I've yet to work on) and considering how few apps that I have installed on my antique iThing - hardly any, in fact - my assumption is that this might now be getting quite commonplace, so it would be extremely useful if there was some means by which we could view the domain names in a log file and thus create exceptions for them in the web filter (without having to resort to Wireshark).

    Kind regards

    Briain :)

  • 0 in reply to Briain

    Hi

    I just found an absolutely excellent new Sophos tutorial titled 'Sophos UTM: How to capture packets and download the Packet Capture' (published 27 Jun 2019) at the below link:

    https://community.sophos.com/kb/en-us/134286

    So, regarding the iOS BBC weather app I mentioned above, I just SSH'd into UTM and ran the command noted in that excellent tutorial (using my iPad's IP address to filter the capture), then I started the BBC weather app, waited for it to show a failure then used Ctrl+c (on the SSH terminal) to stop the capture. I then downloaded the pcap file from the UTM web interface (at https://<UTM hostname:Port>/tcpdump.pcap; that is a great feature) and opened it in Wireshark. It only took a few seconds to then find the below 'suspicious' looking entry:

    weather-broker-cdn.api.bbci.co.uk (noting the 'i' after the 'bbc')

    I then changed my existing BBC exception from ^https?://[A-Za-z0-9.-]*\.bbc\.co\.uk/ to instead being ^https?://[A-Za-z0-9.-]*\.bbci?\.co\.uk/ and started the BBC weather app, which now works perfectly (unlike the Scottish weather, of course)! :-P

    Problem solved; I can now repeat the process for the other apps that failed to start (and were resulting in the generation of these 'input/output error' log entries).

    So, please do excuse me for 'shouting' this from the rooftops but...

    Thank you very much indeed for writing that great tutorial, Sophos! :-)

    Kind regards,

    Briain (a very happy Briain)

Reply
  • 0 in reply to Briain

    Hi

    I just found an absolutely excellent new Sophos tutorial titled 'Sophos UTM: How to capture packets and download the Packet Capture' (published 27 Jun 2019) at the below link:

    https://community.sophos.com/kb/en-us/134286

    So, regarding the iOS BBC weather app I mentioned above, I just SSH'd into UTM and ran the command noted in that excellent tutorial (using my iPad's IP address to filter the capture), then I started the BBC weather app, waited for it to show a failure then used Ctrl+c (on the SSH terminal) to stop the capture. I then downloaded the pcap file from the UTM web interface (at https://<UTM hostname:Port>/tcpdump.pcap; that is a great feature) and opened it in Wireshark. It only took a few seconds to then find the below 'suspicious' looking entry:

    weather-broker-cdn.api.bbci.co.uk (noting the 'i' after the 'bbc')

    I then changed my existing BBC exception from ^https?://[A-Za-z0-9.-]*\.bbc\.co\.uk/ to instead being ^https?://[A-Za-z0-9.-]*\.bbci?\.co\.uk/ and started the BBC weather app, which now works perfectly (unlike the Scottish weather, of course)! :-P

    Problem solved; I can now repeat the process for the other apps that failed to start (and were resulting in the generation of these 'input/output error' log entries).

    So, please do excuse me for 'shouting' this from the rooftops but...

    Thank you very much indeed for writing that great tutorial, Sophos! :-)

    Kind regards,

    Briain (a very happy Briain)

Children
No Data
Unfiltered HTML