Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL/TLS inspection vs HSTS

I have enabled SSL/TLS inspection to do MITM for HTTPS(443) trafic from LAN to WAN.  I have push by GPO certificat CA to windows computer.  That work just fine for most site.

Now I have an issue with site that have HSTS enabled.

For those site that enable HSTS. I have to add site to web / URL groups / Local TLS exclusion list and need to maintain that exclusion list so they are not decrypted.

But what if I want the automaticaly exclude site with HSTS enabled ?

What we know is that HSTS is enabled with a property set in the html header.

HTTP/1.1 302 Found
Date: Fri, 09 Aug 2024 18:58:44 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: /fr/
Vary: Cookie
Strict-Transport-Security: max-age=15724800; includeSubDomains

SSL/TLS allow for 2 types of exlusions, certificat and web category (or URL).  HSTS is enabled in the web page header with property, so certificat property can not be user to "do not decrypt" HSTS site.

Now looking a web site category, I can define a new one.  Web site can be categorized by URL, back to square 1 whre I have to maintain a list of URL.  That leave me with "keyword".  I have try to set Strict-Transport-Security as keyword, but look like header is not scanned for keywords.  No luck...

Is there a way to automatically detect website with HSTS enable and "do not decrypt" these, or put website with HSTS in a specific URL categorie to skip them ?

What are you doing ?




This thread was automatically locked due to age.
Parents
  • Are you sure it is just HSTS? I run several firewalls with SSL inspection and I do need to exclude some sites from SSL-inspection because the application may check certificate of webserver and fails with SSL inspection.

    Just HSTS only instructs your browser to always use SSL for a certain site and your browser will not accept HTTP traffic for this URL during the time defined by max-age.

    We can succesfully visit (and ssl-inspect) most HSTS sites.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Here an example:

    b s d q . o r g

    Even with CA trusted on computer, chrome give certificate error with this website.  This site enforce HSTS for sure and might also use certificate pinning.

    I'm looking for a way to automaticaly "do not decrypt" site like this one without having to create a specific exception.

       

  • Please use some tools to further analyze the errors, it might give you some hints as to why this is failing exactly.

    • You can use developer tools in your browser and see the network tab when loading such site to see if you can find any errors.
    • If using Chrome or Edge you can use chrome://net-internals (which will say it has been changed a bit and will forward you to chrome://net-export to start making exports of your traffic that you can later analyse using a netlog viewer.

    Please let us know if you get any further with it.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • Please use some tools to further analyze the errors, it might give you some hints as to why this is failing exactly.

    • You can use developer tools in your browser and see the network tab when loading such site to see if you can find any errors.
    • If using Chrome or Edge you can use chrome://net-internals (which will say it has been changed a bit and will forward you to chrome://net-export to start making exports of your traffic that you can later analyse using a netlog viewer.

    Please let us know if you get any further with it.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
No Data