Using the new DPI SSL/TSL, Linkedin does not open with Firefox on Mac

Linkedin does not open at all.

  • In reply to lferrara:

    I guess, there is differently something wrong in your setup. 

    Because i started to PoC XGv18 EAP to some customers and there are do not have any issues in this setup. 

     

    You are saying, the Normal Proxy is not causing this issue? 

     Maybe you could investigate this appliance? 

  • In reply to lferrara:

    Hi Luk,

    I clicked on your troublesome link and was able to access the page as well as sub pages. I am running DPI on a 6gb XG.

    Ian

  • Hi  

    Thanks for the feedback.Let's have troubleshooting session for the same. sending you PM for the same.

    Thanks,

    Rana Sharma

  • In reply to lferrara:

    FYI:

    just moved to EAP 3 and still Linkedin, ebay and amazon.it do not open on MAC OS Catalina and Firefox latest releases, if DPI is on. See the screenshot.

    This should be investigated by Sophos before GA release. Same computer, same websites with Safari, they open as expected. Browsing through FF is very slow compared to web proxy or compared to Safari with DPI enabled.

    Regards

  • In reply to lferrara:

    It seems I am alone with this issue. Even on eap 3, I have disabled DPI.

    This is sad for me as I would like to use and test the new dpi engine.

  • In reply to lferrara:

    Well your not alone, same thing happens with me with DPI. But Isn't common to happen.

     

    EDIT: It's not only in Firefox, same thing is happening on Chrome.

    To "fix" this, I've created exceptions on the websites that has been giving this error.

  • In reply to Prism:

    Can someone look at this issue?

    Thanks

  • In reply to Prism:

    Hi folks,

    you might not be alone!

    I get that error on some sites, but when I reload the page the connection goes through. This issue only started about 2 hours after EAP 3 was installed.

    Next little thing, I tried setting creating my own SSL/TLS rule but no traffic went through it. So I disabled the two default rules and still no traffic. You cannot place your rule higher than the default rules which is sort of defeating being able to create your own rules.

    The only SSL/TLS rule passing traffic is default rule 1. Nothing in the logs about the other failures.

    Ian

  • In reply to rfcat_vk:

     

    can you ask to some developers to look at this thread?

    With my XG and FF, I am not able to open at all:

    ebay.it

    amazon.it

    I am not able to test DPI at all and this is frustrating me. Same MAC with Safari, the same sites work as expected.

    Regards

  • In reply to lferrara:

    Most of the people, including myself are on holiday right now. 

    So i do have any way to contact anybody. 

     

    But lets wrap this up, I do not have any Mac right now to reproduce this. 

    Did you regenerate all your certificates and reimport them into Firefox? 

    It looks like your Firefox do not like the decryption at all. 

    Based on your tcpdump, the client is killing the connection quickly. 

     

     

    Could you please show us your DPI Profiles?

    Which certificate do you use to decrypted? 

  • In reply to LuCar Toni:

    Sophos CA is imported. Take note I am using Decrypt and Scan since 2016 and no problem at all. I tried to reimport the CA in Firefox nothing changes. Safari works as expected on the same Mac.

    DPI profile is the default one. Same profile, same computer, different browsers different behaviours.

    If anyone is on holiday and no one is reachable after January, Merry Christmas to all Sophos Staff and Community members.

    [

  • In reply to lferrara:

    Regarding the Change of the SSL Requirements by Apple, maybe something broke there.

    Because the DPI Engine can actually use both CAs (default and SSL CA).

    Thats my first question, did you try both CAs to import and choose in DPI?

     

     

    This option may differ from the Proxy CA.

     

     

     

    If you recreate a new Profile with everything "enabled" (not blocked), anything different?

     

    I am not sure about the whole Apple requirement and the Firefox implementation into the certificate store (Most likely because i am too dumb to use a Mac...).

    Does firefox use an own Certificate store on Mac (like windows)?

  • In reply to LuCar Toni:

    Hi Lucar,

    Thanks for your suggestions. I tried to create a separate decryption profile where the re-signing CA is Sophos CA as web proxy, but after few minutes, same behaviour on Firefox. Linkedin, ebay, amazon do not open at all.

    Yes, FF uses its own CA repo and I imported both default and Sophos CA but no way.

    It seems like the DPI works for a couple of minutes and then something crashes on the system.