Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL/TLS inspection vs HSTS

I have enabled SSL/TLS inspection to do MITM for HTTPS(443) trafic from LAN to WAN.  I have push by GPO certificat CA to windows computer.  That work just fine for most site.

Now I have an issue with site that have HSTS enabled.

For those site that enable HSTS. I have to add site to web / URL groups / Local TLS exclusion list and need to maintain that exclusion list so they are not decrypted.

But what if I want the automaticaly exclude site with HSTS enabled ?

What we know is that HSTS is enabled with a property set in the html header.

HTTP/1.1 302 Found
Date: Fri, 09 Aug 2024 18:58:44 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: /fr/
Vary: Cookie
Strict-Transport-Security: max-age=15724800; includeSubDomains

SSL/TLS allow for 2 types of exlusions, certificat and web category (or URL).  HSTS is enabled in the web page header with property, so certificat property can not be user to "do not decrypt" HSTS site.

Now looking a web site category, I can define a new one.  Web site can be categorized by URL, back to square 1 whre I have to maintain a list of URL.  That leave me with "keyword".  I have try to set Strict-Transport-Security as keyword, but look like header is not scanned for keywords.  No luck...

Is there a way to automatically detect website with HSTS enable and "do not decrypt" these, or put website with HSTS in a specific URL categorie to skip them ?

What are you doing ?




This thread was automatically locked due to age.
Parents
  • Are you sure it is just HSTS? I run several firewalls with SSL inspection and I do need to exclude some sites from SSL-inspection because the application may check certificate of webserver and fails with SSL inspection.

    Just HSTS only instructs your browser to always use SSL for a certain site and your browser will not accept HTTP traffic for this URL during the time defined by max-age.

    We can succesfully visit (and ssl-inspect) most HSTS sites.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Here an example:

    b s d q . o r g

    Even with CA trusted on computer, chrome give certificate error with this website.  This site enforce HSTS for sure and might also use certificate pinning.

    I'm looking for a way to automaticaly "do not decrypt" site like this one without having to create a specific exception.

       

Reply Children
  • Please use some tools to further analyze the errors, it might give you some hints as to why this is failing exactly.

    • You can use developer tools in your browser and see the network tab when loading such site to see if you can find any errors.
    • If using Chrome or Edge you can use chrome://net-internals (which will say it has been changed a bit and will forward you to chrome://net-export to start making exports of your traffic that you can later analyse using a netlog viewer.

    Please let us know if you get any further with it.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Looking at this example: 

    You have this situation here:https://support.sophos.com/support/s/article/KBA-000008960?language=en_US 

    The webserver is not sending the full chain. 

    https://www.ssllabs.com/ssltest/analyze.html?d=bsdq.org&latest 

    SFOS is basically complaining about this. Saying, you have to have the full chain otherwise we will still give the same experience. 

    Browsers sometimes have a workaround to not throw errors, but essentially this website is "badly designed". 

    You can resolve it by the two suggestions in the KB above. 

    __________________________________________________________________________________________________________________

  • I have SSL-inspect on, that do MintM.  Here what I have for google.  Cert is generated by router using internal CA that is trusted by windows (hence "connection is secure".



    On bsdq, "because the website uses HSTS", chrome "detect" the MintM





    Doing original cert analysis with ssllabs is irrevelent, the original cert is replace by the SSL-inspect and certificat seen by chrome is the one signed by CA.

  • Did you review my post? Effective the DPI will forward and not "hide" such a webserver. Thats what is being blocked by the browser. It is not HSTS. It is the proxy reporting invalid CA. 

    __________________________________________________________________________________________________________________

  • You are right.  That website did not provide full chain and your link is spot on.

    That website also use HSTS and maybe using cert pinning, but that is not what lead to this error.

    Prior to fw v19.5, when using SSL-inspection on a website that did not provide full chain, and using a less secure decrypt profile (eg: not maximum security), the router will get over the missing intermediat and reencrypt with is own CA (eg: MintM) with no missing intermediat.

    The end user will not be informed of missing intermiediat CA because that information is now hidden by router.  Which can be a security issue.

    Since v19.5, there is two CA: "normal" and "untrusted".  If chain is not complet, router will use the insecure CA that is not trusted by computer.

    I did miss that, if I look back at capture above, I see that CA "Sophos SSL Untrusted CA" is use by router to make chrome report a cert error.  Only the notice regarding HSTS did catch me eyes !

    That is clever...