Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 43 subscribers
  • Views 2296 views
  • Users 0 members are here
Options
Suggested

SSL/TLS inspection vs HSTS

Digit23

I have enabled SSL/TLS inspection to do MITM for HTTPS(443) trafic from LAN to WAN.  I have push by GPO certificat CA to windows computer.  That work just fine for most site.

Now I have an issue with site that have HSTS enabled.

For those site that enable HSTS. I have to add site to web / URL groups / Local TLS exclusion list and need to maintain that exclusion list so they are not decrypted.

But what if I want the automaticaly exclude site with HSTS enabled ?

What we know is that HSTS is enabled with a property set in the html header.

HTTP/1.1 302 Found
Date: Fri, 09 Aug 2024 18:58:44 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: /fr/
Vary: Cookie
Strict-Transport-Security: max-age=15724800; includeSubDomains

SSL/TLS allow for 2 types of exlusions, certificat and web category (or URL).  HSTS is enabled in the web page header with property, so certificat property can not be user to "do not decrypt" HSTS site.

Now looking a web site category, I can define a new one.  Web site can be categorized by URL, back to square 1 whre I have to maintain a list of URL.  That leave me with "keyword".  I have try to set Strict-Transport-Security as keyword, but look like header is not scanned for keywords.  No luck...

Is there a way to automatically detect website with HSTS enable and "do not decrypt" these, or put website with HSTS in a specific URL categorie to skip them ?

What are you doing ?




Added TAGs
[edited by: Raphael Alganes at 11:36 PM (GMT -7) on 11 Aug 2024]
  • 0

    Are you sure it is just HSTS? I run several firewalls with SSL inspection and I do need to exclude some sites from SSL-inspection because the application may check certificate of webserver and fails with SSL inspection.

    Just HSTS only instructs your browser to always use SSL for a certain site and your browser will not accept HTTP traffic for this URL during the time defined by max-age.

    We can succesfully visit (and ssl-inspect) most HSTS sites.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0
    1. didnt know why, but with ssl inspection aktivsted, i got no sites with problems regarging hsts.
    2. looks like hsts standard knows ssl interception.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    They are both different. HSTS only tells the browser to only use https in the future for a certain (sub)domain. It is something the browser of the visiting user "remembers".

    SSL inspection on the other hand is a mechanism on the firewall to decrypt, inspect and re-encrypt the stream again to send it to the browser (still encrypted and thus still respecting (previous) HSTS setting on webserver).

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0

    My guess: You are using Authentication like Kerberos? Because this was addressed in V20.0 MR2. 

    __________________________________________________________________________________________________________________

  • 0 in reply to apijnappels

    normally, hsts also remembers/pin the last certificate and didnt allow another (like our firewall-created) .

    but it works for me.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Browsers will only disallow untrusted certfificates in these cases. That would mean that the ssl-inspection CA is untrusted if that is the reason of this problem. The browser will in that case not give the option to continue visiting the "unsafe" site but it will reject the connection when the server sent a HSTS header before.

    Browsers do as far as I know and can find not pin last certfificates. That would mean that sites using Lets Encrypt certs will not work anymore when the cert is renewed somewhere within the 90 days the cert is valid or whenever a website owner decides to start making use of a new certificate authority when a cert is renewed.

    OP states that he did push the cert via GPO so that should not be the problem.

     

    • You can use developer tools in your browser and see the network tab when loading such site to see if you can find any errors.
    • If using Chrome or Edge you can use chrome://net-internals (which will say it has been changed a bit and will forward you to chrome://net-export to start making exports of your traffic that you can later analyse using a netlog viewer.

    Please let us know if you get any further with it.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Here an example:

    b s d q . o r g

    Even with CA trusted on computer, chrome give certificate error with this website.  This site enforce HSTS for sure and might also use certificate pinning.

    I'm looking for a way to automaticaly "do not decrypt" site like this one without having to create a specific exception.

       

  • 0 in reply to Dominic Pageau

    Please use some tools to further analyze the errors, it might give you some hints as to why this is failing exactly.

    • You can use developer tools in your browser and see the network tab when loading such site to see if you can find any errors.
    • If using Chrome or Edge you can use chrome://net-internals (which will say it has been changed a bit and will forward you to chrome://net-export to start making exports of your traffic that you can later analyse using a netlog viewer.

    Please let us know if you get any further with it.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • +1 in reply to Dominic Pageau

    Looking at this example: 

    You have this situation here:https://support.sophos.com/support/s/article/KBA-000008960?language=en_US 

    The webserver is not sending the full chain. 

    https://www.ssllabs.com/ssltest/analyze.html?d=bsdq.org&latest 

    SFOS is basically complaining about this. Saying, you have to have the full chain otherwise we will still give the same experience. 

    Browsers sometimes have a workaround to not throw errors, but essentially this website is "badly designed". 

    You can resolve it by the two suggestions in the KB above. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I have SSL-inspect on, that do MintM.  Here what I have for google.  Cert is generated by router using internal CA that is trusted by windows (hence "connection is secure".



    On bsdq, "because the website uses HSTS", chrome "detect" the MintM





    Doing original cert analysis with ssllabs is irrevelent, the original cert is replace by the SSL-inspect and certificat seen by chrome is the one signed by CA.

Unfiltered HTML