Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL Inspection KEY_TYPE__UNKNOWN

Hi,

an application tried to decrypt a SSL/TLS connection but was getting an error "unknown ca(48)" :

messageid="19018" log_type="Content Filtering" log_component="SSL" log_subtype="Error" severity="Information" user="<changed>" src_ip="<changed>" dst_ip="194.149.233.199" user_group="<changed>" src_country="R1" dst_country="ITA" src_port="57985" dst_port="3048" app_name="" category="IPAddress" con_id="3862505024" rule_id="2" profile_id="4" rule_name="<changed>" profile_name="<changed>" bitmask="Invalid issuer" key_type="KEY_TYPE__RSA" key_param="RSA 4096 bits" fingerprint="d2:ae:51:0e:ec:fe:5c:f7:32:81:0d:70:84:51:03:fe:22:48:30:3a" resumed="0" cert_chain_served="FALSE" cipher_suite="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" sni="194.149.233.199" tls_version="TLS1.2" reason="TLS handshake fatal alert: unknown CA(48)." exception="" message=""

I imported the certificate from the CA and now I get following error: KEY_TYPE__UNKNOWN.

messageid="19017" log_type="Content Filtering" log_component="SSL" log_subtype="Error" severity="Information" user="<changed>" src_ip="<changed>" dst_ip="80.84.99.20" user_group="<changed>" src_country="R1" dst_country="ITA" src_port="58012" dst_port="3048" app_name="" category="IPAddress" con_id="282071680" rule_id="2" profile_id="4" rule_name="<changed>" profile_name="<changed>" bitmask="" key_type="KEY_TYPE__UNKNOWN" key_param="Unknown" fingerprint="" resumed="0" cert_chain_served="TRUE" cipher_suite="" sni="80.84.99.20" tls_version="Unknown" reason="TLS handshake fatal alert: unexpected message(10)." exception="" message=""

Can someone give me a hint whats wrong?



This thread was automatically locked due to age.
  • Hello,

    Good day and thanks for reaching out to Sophos Community.

    Are you using TLS 1.2 or 1.3? Can you try using only 1.2?

    Also, Could you please try to change the in the non-decryptable traffic option When SSL/TLS connection exceed limit from Reject to Allow if the settings are set to reject. 

    kindly let us know how the above recommendations would result. 

    Many thanks for your time and patience and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • The KEY_TYPE__UNKNOWN value simply indicates that the key has not yet been negotiated completely by the time the connection ended. Similarly, you will see some other "unknown" values in that log message.  

    The actual reason for connection failure is that one of the endpoints (client or server) does not "understand" what the other one is sending it, and thus replies with the unexpected_message TLS alert. The firewall notices the alert, and logs it as part of the log message:  

     reason="TLS handshake fatal alert: unexpected message(10)

    Per RFC 5246 (TLS 1.2 - since the connection did not reach TLS 1.3 negotiation before being aborted):

    unexpected_message

    An inappropriate message was received. This alert is always fatal
    and should never be observed in communication between proper
    implementations.

    Implementations MUST NOT send record types not defined in this
    document unless negotiated by some extension. If a TLS
    implementation receives an unexpected record type, it MUST send an
    unexpected_message alert.

    You can possibly view the traffic with Wireshark to try and understand the endpoint behavior better.