TLS decryption issue explanation for beginner

Question

Hello, 
 I am converting our customers from primitive FWs to Sophos XGS's and testing TLS decryption. 
 Would anyone be so kind to walk me through what is happening in specific case below: 
 Setup: TLS enabled, any of default profiles, Sophos CA as trusted on client computer. 
 Website: https://www.pentahospitals.cz/ (Czech private hospital group) 
 Error in logs: Blocked due to invalid TLS certificate 
 
 What is the reall cause for the error here? Does this mean that I need to exclude possible loads of websites with similar configurations? 
 Thank You!

Prism · Accepted Answer

Hello! 
 David Kucera said: What is the reall cause for the error here? 
 The certificate chain for this website is invalid, you can find more information about this at SSL Server Test: www.pentahospitals.cz (Powered by Qualys SSL Labs) . 
 David Kucera said: Does this mean that I need to exclude possible loads of websites with similar configurations? 
 It's not that common for this to happen, but since the server main "#1" certificate is valid, you can create an exception for "pentahospitals.cz". 
 Also, if you create an exception for " pentahospitals.cz", it also works as a wildcard, meaning all subdomains will also be exempt.

TLS decryption issue explanation for beginner

Top Replies