Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Replies 3 replies
  • Subscribers 41 subscribers
  • Views 410 views
  • Users 0 members are here
Options
Suggested

Understanding TLS Inspection and Valid Certificate Presentation: How Do Some Sites Avoid Appliance-Generated Certificates?

Sophal Lee

I’ve noticed that some sites subjected to TLS inspection still present valid certificates from reputable CAs without generating on-the-fly appliance certificates. This behavior seems unusual because, typically, I would expect the appliance to generate and present its own certificate for inspection purposes.

It almost seems as if the firewall vendor has direct access to the private keys or uses a special integration with CAs. How is it possible for these sites to maintain a valid chain of trust and not show appliance-generated certificates during TLS inspection? Is there a specific method or policy that allows this, or does it involve a direct integration with public CAs?



Added TAGs
[edited by: Raphael Alganes at 11:15 PM (GMT -7) on 29 Aug 2024]
  • 0

    Look under Web/Groups and you'll see "Managed TLS exclusion list" which is "Domains known to be incompatible with TLS decryption. The content of this URL group is managed and may be changed by firmware updates. Sites in this group are excluded from TLS decryption by the built-in SSL/TLS exclusion rule."

  • 0 in reply to Brian1941

    I’m aware that some sites might be on an exclusion list, but the ones I’ve inspected are not included. For these sites, certificate changes are consistently from reputable CAs, and no on-the-fly appliance certificates are being used. My question is: how is Sophos achieving this? Since decryption and inspection functions as a form of MITM (Man-in-the-Middle), you would typically expect SSL/TLS to flag these sites as insecure. How does Sophos manage to maintain a valid certificate chain without triggering such warnings?

  • 0

    If you see the original cert on a website, it is not intercepted and decryption. 

    You could see QUIC (UDP 443) - Do you block this in the firewall rule? 

    __________________________________________________________________________________________________________________

Unfiltered HTML