Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL/TLS inspection vs HSTS

I have enabled SSL/TLS inspection to do MITM for HTTPS(443) trafic from LAN to WAN.  I have push by GPO certificat CA to windows computer.  That work just fine for most site.

Now I have an issue with site that have HSTS enabled.

For those site that enable HSTS. I have to add site to web / URL groups / Local TLS exclusion list and need to maintain that exclusion list so they are not decrypted.

But what if I want the automaticaly exclude site with HSTS enabled ?

What we know is that HSTS is enabled with a property set in the html header.

HTTP/1.1 302 Found
Date: Fri, 09 Aug 2024 18:58:44 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: /fr/
Vary: Cookie
Strict-Transport-Security: max-age=15724800; includeSubDomains

SSL/TLS allow for 2 types of exlusions, certificat and web category (or URL).  HSTS is enabled in the web page header with property, so certificat property can not be user to "do not decrypt" HSTS site.

Now looking a web site category, I can define a new one.  Web site can be categorized by URL, back to square 1 whre I have to maintain a list of URL.  That leave me with "keyword".  I have try to set Strict-Transport-Security as keyword, but look like header is not scanned for keywords.  No luck...

Is there a way to automatically detect website with HSTS enable and "do not decrypt" these, or put website with HSTS in a specific URL categorie to skip them ?

What are you doing ?




This thread was automatically locked due to age.
  • Did you review my post? Effective the DPI will forward and not "hide" such a webserver. Thats what is being blocked by the browser. It is not HSTS. It is the proxy reporting invalid CA. 

    __________________________________________________________________________________________________________________

  • You are right.  That website did not provide full chain and your link is spot on.

    That website also use HSTS and maybe using cert pinning, but that is not what lead to this error.

    Prior to fw v19.5, when using SSL-inspection on a website that did not provide full chain, and using a less secure decrypt profile (eg: not maximum security), the router will get over the missing intermediat and reencrypt with is own CA (eg: MintM) with no missing intermediat.

    The end user will not be informed of missing intermiediat CA because that information is now hidden by router.  Which can be a security issue.

    Since v19.5, there is two CA: "normal" and "untrusted".  If chain is not complet, router will use the insecure CA that is not trusted by computer.

    I did miss that, if I look back at capture above, I see that CA "Sophos SSL Untrusted CA" is use by router to make chrome report a cert error.  Only the notice regarding HSTS did catch me eyes !

    That is clever...